CVE-2025-50707: 
ThinkPHP vulnerability analysis and mitigation

An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component. The vulnerability was discovered and disclosed on August 5, 2025, affecting ThinkPHP framework version 3.2.5 and below (MITRE, XinYiSec).

The vulnerability is a Local File Inclusion (LFI) issue that exists in the routing mechanism of ThinkPHP3. The flaw allows attackers to manipulate the 'a' parameter in URLs to include arbitrary HTML files containing PHP code. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (MITRE).

The vulnerability allows remote attackers to execute arbitrary code on affected systems by including malicious HTML files through the index.php component. This could lead to complete system compromise, as successful exploitation provides attackers with the ability to execute code with the privileges of the web server process (XinYiSec).

As ThinkPHP3 is no longer maintained, the primary recommendation is to upgrade to a supported version of the framework. For systems that cannot be immediately upgraded, it is recommended to implement strict input validation and access controls for the affected parameters (XinYiSec).