CVE-2025-44137

MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of "../" and thus read any file on the web server. Affected GET parameters are "TileMatrix", "TileRow", "TileCol" and "Format"

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/maptiler/tileserver-php/commit/4fe14e6164bbe2a3f9e3b3d7acf303e3ec210c8e
https://github.com/maptiler/tileserver-php/issues/167	Exploit Issue Tracking
https://github.com/mheranco/CVE-2025-44137	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:maptiler:tileserver_php:2.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-29 17:15

Updated : 2026-01-20 21:16

NVD link : CVE-2025-44137

Mitre link : CVE-2025-44137

CVE.ORG link : CVE-2025-44137

JSON object : View

Products Affected

maptiler

tileserver_php

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-44137", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2025-07-29T17:15:33.493", "references": [{"url": "https://github.com/maptiler/tileserver-php/commit/4fe14e6164bbe2a3f9e3b3d7acf303e3ec210c8e", "source": "cve@mitre.org"}, {"url": "https://github.com/maptiler/tileserver-php/issues/167", "tags": ["Exploit", "Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://github.com/mheranco/CVE-2025-44137", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of \"../\" and thus read any file on the web server. Affected GET parameters are \"TileMatrix\", \"TileRow\", \"TileCol\" and \"Format\""}, {"lang": "es", "value": "MapTiler Tileserver-php v2.0 es vulnerable a Directory Traversal. La funci\u00f3n renderTile de tileserver.php se encarga de entregar los mosaicos almacenados como archivos en el servidor mediante una solicitud web. Crear la ruta a un archivo permite insertar \"../\" y, por lo tanto, leer cualquier archivo en el servidor web. Los par\u00e1metros GET afectados son \"TileMatrix\", \"TileRow\", \"TileCol\" y \"Format\"."}], "lastModified": "2026-01-20T21:16:02.920", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:maptiler:tileserver_php:2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08A42D37-DC8C-4FED-8840-47FDA1818564"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}