PHP CVE-2025-49508

| EUVD-2025-18523 HIGH
PHP Remote File Inclusion (CWE-98)
2025-06-17 [email protected]
PHP Information Disclosure
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.7.1
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18523
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 15:15 nvd
HIGH 8.1

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay allows PHP Local File Inclusion. This issue affects CozyStay: from n/a through n/a.

AnalysisAI

PHP Local/Remote File Inclusion (LFI/RFI) vulnerability in LoftOcean CozyStay that allows unauthenticated remote attackers to include and execute arbitrary files through improper control of filename parameters in PHP include/require statements. The vulnerability affects CozyStay with a CVSS score of 8.1 (High severity), enabling attackers to read sensitive files, execute arbitrary code, or compromise system integrity without requiring user interaction or authentication.

Technical ContextAI

This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a classic PHP security flaw where user-supplied input is passed unsanitized to PHP's include(), require(), include_once(), or require_once() functions. CozyStay, a property management/booking system by LoftOcean, fails to properly validate or sanitize filename parameters before using them in file inclusion statements. While classified as 'PHP Remote File Inclusion' in the CVE title, the description indicates Local File Inclusion (LFI) is the primary concern, though RFI may be possible if PHP wrappers (stream:// protocols) are enabled. The vulnerability bypasses critical security controls that should restrict includes to whitelisted paths or implement strict input validation.

RemediationAI

Immediate actions: (1) Contact LoftOcean for official security advisories and patch availability at https://loftocean.com or support channels; (2) Implement network segmentation to restrict direct internet access to CozyStay instances; (3) Deploy Web Application Firewall (WAF) rules to block common LFI payloads (e.g., regex patterns for '../', 'php://', 'file://', 'expect://' in request parameters); (4) Review and audit all include/require statements in CozyStay codebase for unsanitized user input. Long-term: Apply official patches from LoftOcean when released, upgrade to patched versions immediately. Mitigation: If patching is delayed, implement strict input validation using whitelisting (only allow expected filenames/directories) and disable PHP wrappers via php.ini (allow_url_include=Off, allow_url_fopen=Off).

Share

CVE-2025-49508 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy