Platform
php
Component
phptransformer
Fixed in
2016.9.1
CVE-2019-25579 is a directory traversal vulnerability discovered in phpTransformer versions 2016.9 through 2016.9. This flaw allows unauthenticated attackers to access arbitrary files on the server by manipulating the path parameter within requests to the jQueryFileUploadmaster server endpoint. Successful exploitation could lead to the exposure of sensitive configuration files, source code, or other critical data.
The primary impact of CVE-2019-25579 is the potential for unauthorized access to sensitive files on the server hosting phpTransformer. An attacker can leverage the directory traversal sequences (e.g., ../../../../../../) to navigate outside the intended directory and list or retrieve files. This could expose configuration files containing database credentials, API keys, or other sensitive information. Furthermore, access to source code could reveal further vulnerabilities or intellectual property. The blast radius extends to any data accessible on the server's file system, depending on the attacker's permissions and the server's configuration.
CVE-2019-25579 was published on 2026-03-21. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (PoC) code may exist or emerge, increasing the risk of exploitation. The vulnerability's relatively simple exploitation mechanism makes it a potential target for automated scanning and exploitation tools.
Exploit Status
EPSS
3.31% (87% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2019-25579 is to upgrade to a patched version of phpTransformer. Since a specific fixed version is not provided, consider rolling back to a previous, known-stable version if upgrading introduces compatibility issues. As a temporary workaround, implement strict input validation on the path parameter, ensuring it does not contain traversal sequences. Web application firewalls (WAFs) can be configured to block requests containing suspicious path patterns. Monitor server logs for unusual file access attempts.
Actualizar phpTransformer a una versión parcheada o eliminar el software. La vulnerabilidad permite el acceso a archivos arbitrarios, por lo que es crucial tomar medidas inmediatas para proteger el sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25579 is a vulnerability in phpTransformer versions 2016.9–2016.9 that allows attackers to access arbitrary files by manipulating the path parameter.
If you are using phpTransformer version 2016.9, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of phpTransformer. If upgrading is not immediately feasible, implement strict input validation and consider WAF rules as temporary mitigations.
There is currently no confirmed evidence of active exploitation, but the vulnerability's simplicity makes it a potential target.
Refer to the relevant security advisories and announcements from the phpTransformer project or related security communities for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.