/claim #14310

Description

This PR adds a Nuclei template to detect CVE-2024-44902, a critical insecure deserialization vulnerability in ThinkPHP versions 6.1.3 through 8.0.4.

Vulnerability Details

• CVE ID: CVE-2024-44902
• Severity: Critical (CVSS 9.8)
• Affected Versions: ThinkPHP 6.1.3 - 8.0.4
• Vulnerability Type: Insecure Deserialization → RCE (CWE-502)
• Gadget Chain: ResourceRegister → DbManager → Memcached → Pivot → Model

Note: Requires Memcached PHP extension.

Template

File: http/cves/2024/CVE-2024-44902.yaml

Detection uses OOB (Out-of-Band) with OR matchers:

1. curl-http-callback: HTTP callback with curl user-agent verification
2. nslookup-dns-callback: DNS callback for SRV query detection

Testing

Test environment: https://github.com/KrE80r/CVE-2024-44902-env

This is a ThinkPHP application created with composer create-project. The vulnerable controller (/api/import) handles serialized data - a pattern found in applications doing data sync, cache restoration, or legacy API integration.

git clone https://github.com/KrE80r/CVE-2024-44902-env.git && cd CVE-2024-44902-env
docker compose up -d
nuclei -t http/cves/2024/CVE-2024-44902.yaml -u http://localhost:8080

Results: Vulnerable target detected via OOB callback.

References

• NVD CVE-2024-44902
• GitHub Advisory GHSA-f4wh-359g-4pq7
• fru1ts POC