CVE-2025-44136: MapTiler Tileserver-php v2.0 Vulnerable to Cross-Site Scripting (XSS)

MapTiler Tileserver-php, a popular solution for serving map tiles, has been found to contain a critical vulnerability. This post delves into the details of CVE-2025-44136, a Cross-Site Scripting (XSS) flaw that could allow attackers to execute arbitrary code in a user's browser. We'll cover the technical aspects, potential impact, and recommended mitigation steps to keep your systems secure.

Vulnerability Details

• CVE ID: CVE-2025-44136
• Description: MapTiler Tileserver-php v2.0 is vulnerable to Cross-Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without HTML encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.
• CVSS Score: 9.8 (Critical)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• CVSS Explanation: The CVSS vector indicates this is a critical vulnerability because it's remotely exploitable (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). A successful exploit can lead to complete compromise of confidentiality (C:H), integrity (I:H), and availability (A:H). In simpler terms, an attacker can remotely take full control of the affected system without needing any credentials or user interaction.
• Exploit Requirements: An attacker can trigger the XSS vulnerability by crafting a malicious URL containing a payload in the 'layer' GET parameter and tricking a user into visiting it. No authentication is required.
• Affected Vendor: MapTiler
• Affected Product: Tileserver-php
• Affected Version: v2.0
• CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - This means the application doesn't properly sanitize user-provided input before displaying it in a web page, allowing an attacker to inject malicious scripts.

Timeline of Events

• 2025-07-29: Vulnerability publicly disclosed and CVE assigned.

Exploitability & Real-World Risk

This XSS vulnerability presents a significant risk. An attacker could craft a malicious link and distribute it via email, social media, or other channels. If a user clicks the link, the attacker's JavaScript code will execute in the user's browser, potentially allowing the attacker to:

• Steal cookies and session tokens.
• Deface the website.
• Redirect the user to a phishing site.
• Gain access to sensitive information.

Given the ease of exploitation and the potential impact, this vulnerability should be addressed immediately.

Recommendations

• Apply the Patch: Unfortunately, as of the time of writing, there's no official patch available. Monitor the MapTiler Tileserver-php repository for updates and apply the patch as soon as it's released.
• Input Validation: Implement robust input validation on the 'layer' parameter to ensure that user-supplied input is properly sanitized and HTML encoded before being displayed in any error messages or other parts of the web page. This should be implemented even before a patch is released.
• Web Application Firewall (WAF): Consider implementing a Web Application Firewall (WAF) to filter out malicious requests and protect against XSS attacks.
• Monitor Logs: Monitor your server logs for suspicious activity, such as requests containing unusual characters or patterns in the 'layer' parameter.

Technical Insight

The vulnerability lies in the fact that the `layer` parameter is directly reflected in an error message without proper HTML encoding. HTML encoding replaces characters like `<`, `>`, `&`, and `"` with their corresponding HTML entities (e.g., `<`, `>`, `&`, `"`). Without this encoding, an attacker can inject arbitrary HTML and JavaScript code into the page.

Credit to Researcher(s)

This vulnerability was discovered by mheranco.

References

• MapTiler Tileserver-php Issue #167
• CVE-2025-44136 Exploit

Tags

#XSS #CrossSiteScripting #CVE-2025-44136 #MapTiler #Tileserverphp #SecurityVulnerability

Summary: MapTiler Tileserver-php v2.0 is vulnerable to Cross-Site Scripting (XSS). The 'layer' GET parameter is reflected in an error message without HTML encoding, allowing an unauthenticated attacker to execute arbitrary code in a user's browser. Immediate action is required to mitigate this risk.

CVE ID: CVE-2025-44136

Risk Analysis: Successful exploitation can allow an attacker to steal user credentials, deface the website, or redirect users to malicious websites. This could lead to financial loss, reputational damage, and legal consequences for the affected organization.

Recommendation: Immediately implement input validation and HTML encoding on the 'layer' parameter. Monitor the MapTiler Tileserver-php repository for official patches and apply them as soon as they are released. Consider implementing a Web Application Firewall (WAF) to filter out malicious requests.

Timeline

• 2025-07-29: Vulnerability disclosed and CVE assigned.

References

• https://github.com/maptiler/tileserver-php/issues/167
• https://github.com/mheranco/CVE-2025-44136