CVE-2025-44137: MapTiler Tileserver-php Directory Traversal Vulnerability
TL;DR: A directory traversal vulnerability exists in MapTiler Tileserver-php v2.0, allowing unauthenticated attackers to read sensitive files on the web server by manipulating request parameters.
Vulnerability Details
- CVE ID: CVE-2025-44137
- Description: The
renderTilefunction intileserver.phpis vulnerable to directory traversal. By injecting../sequences into theTileMatrix,TileRow,TileCol, orFormatGET parameters, an attacker can bypass path validation and read arbitrary files from the server's filesystem. - CVSS Score and Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N, Score: 8.2 (High)
This means the vulnerability is remotely exploitable (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). It allows an attacker to read some sensitive information (C:L) and modify important data (I:H), but doesn't affect availability (A:N). - Exploit Requirements: No authentication is required. The attacker needs to send a crafted HTTP GET request to the vulnerable endpoint.
- Affected Vendor, Product, Version: MapTiler, Tileserver-php, v2.0
- CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22 describes a situation where an application does not properly validate user-supplied input that is used to construct a file path. This allows an attacker to escape the intended directory and access or manipulate files outside that directory.
Timeline of Events
- 2025-07-29: CVE ID assigned and vulnerability reported.
Exploitability & Real-World Risk
This vulnerability is highly exploitable due to its simplicity. An attacker can easily read configuration files containing database credentials, API keys, or other sensitive information. In a real-world attack, this could lead to a full system compromise or data breach. Given the widespread use of MapTiler in mapping and geospatial applications, the impact could be significant.
Recommendations
- Patch: Upgrade to a patched version of Tileserver-php that includes proper input validation and sanitization to prevent directory traversal attacks.
- Configuration Changes: Implement strict input validation on the server side to sanitize the
TileMatrix,TileRow,TileCol, andFormatparameters. - Best Practices: Regularly audit your applications for security vulnerabilities and keep your software up to date. Follow secure coding practices to prevent common vulnerabilities such as directory traversal.
Technical Insight
The vulnerability occurs because the renderTile function does not properly validate the input parameters used to construct the file path for the tile being requested. By injecting ../ sequences, the attacker can navigate up the directory tree and access files outside the intended tile directory.
Credit to Researcher(s)
This vulnerability was discovered and reported by mheranco.
References
Tags
#Security #CVE-2025-44137 #DirectoryTraversal #MapTiler #Tileserver-php #FileRead #RemoteAccess
Summary: A directory traversal vulnerability in MapTiler Tileserver-php v2.0 allows unauthenticated attackers to read arbitrary files on the web server by manipulating the TileMatrix, TileRow, TileCol, or Format GET parameters. This could lead to the exposure of sensitive information and potential system compromise.
CVE ID: CVE-2025-44137
Risk Analysis: Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the web server. This could expose sensitive data such as configuration files, credentials, source code, or user data, leading to further attacks and potential system compromise or data breach.
Recommendation: Upgrade to a patched version of MapTiler Tileserver-php or implement strict input validation to sanitize the TileMatrix, TileRow, TileCol, and Format parameters. Limit access to sensitive files and directories using proper file permissions.
Timeline
- 2025-07-29: Vulnerability reported and CVE-2025-44137 assigned.