CVE-2025-0520: Unauthenticated Remote Code Execution via Unrestricted File Upload in ShowDoc
Vulnerability ID: CVE-2025-0520
CVSS Score: 9.4
Published: 2025-04-29
ShowDoc versions prior to 2.8.7 are vulnerable to a critical unrestricted file upload vulnerability due to an incorrect property configuration in the ThinkPHP file upload class. This allows unauthenticated attackers to upload arbitrary PHP web shells and achieve remote code execution.
TL;DR
A typo in the file extension whitelist property ('allowExts' instead of 'exts') in ShowDoc's image upload endpoint permits unauthenticated attackers to upload PHP files, resulting in remote code execution.
⚠️ Exploit Status: ACTIVE
Technical Details
- CWE ID: CWE-434
- Attack Vector: Network
- CVSS v4.0: 9.4 (Critical)
- EPSS Percentile: 81.78%
- Exploit Status: Active Exploitation / PoC Available
- Authentication: None Required
Affected Systems
- ShowDoc versions < 2.8.7
- ThinkPHP 3.x (underlying framework configuration)
-
ShowDoc: < 2.8.7 (Fixed in:
2.8.7)
Exploit Details
- Vulhub: Proof of Concept and exploitation guide for the ShowDoc RCE vulnerability
Mitigation Strategies
- Upgrade ShowDoc to version 2.8.7 or later
- Deploy WAF rules to block
.phpuploads to the/index.php?s=/home/page/uploadImgendpoint - Configure the web server to deny PHP execution in the
/Public/Uploads/directory
Remediation Steps:
- Locate the ShowDoc installation directory on the host server
- Update the application using the official upgrade script or repository pull
- Alternatively, manually edit
server/Application/Home/Controller/PageController.class.phpand change$upload->allowExtsto$upload->exts - Scan the
Public/Uploads/directory for unauthorized.phpfiles and remove them - Restart the web server to clear any cached PHP processes
References
Read the full report for CVE-2025-0520 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)