CVE-2025-50706: 
PHP vulnerability analysis and mitigation

A critical vulnerability has been identified in ThinkPHP version 5.1 through 5.1.* (CVE-2025-50706). The vulnerability allows remote attackers to execute arbitrary code via the routecheck function. This Local File Inclusion (LFI) vulnerability was discovered and disclosed on April 24, 2024, affecting Windows-based installations of ThinkPHP, while Linux systems are not impacted (XinYi Blog, CVE Details).

The vulnerability exists in the route checking mechanism of ThinkPHP 5.1. The issue stems from improper handling of path traversal sequences in the routecheck function. Specifically, when processing URL parameters, the application fails to properly sanitize directory traversal attempts using '..' sequences on Windows systems. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitability with no required privileges or user interaction (NVD).

The vulnerability allows attackers to include and execute arbitrary PHP files on affected systems through path traversal, potentially leading to remote code execution. This can result in complete system compromise, as demonstrated by the ability to execute PHP code through file inclusion and even achieve command execution using the PEAR configuration functionality (XinYi Blog).

Users are advised to check the official ThinkPHP website for security updates and patches. As this vulnerability specifically affects Windows-based installations, organizations may consider temporarily moving critical applications to Linux-based systems as an immediate workaround, as the vulnerability is not exploitable on Linux platforms (CVE Details).