FlightPHP, Information Disclosure via Error Handler, None (Medium)

By /

Listen to this Post

How the mentioned CVE works:

The vulnerability resides in FlightPHP’s default error handler `Engine::_error()` (lines 678-704 in flight/Engine.php).
This function catches any uncaught `Throwable` and constructs an HTML response containing the full exception message, exception code, and the entire stack trace via $e->getTraceAsString().
No conditional check like `flight.debug` or environment gating is performed before outputting this verbose error page.
In production mode, the handler sends an HTTP 500 response with the raw exception details directly to the client.
Attackers trigger this by causing any uncaught exception – for example, passing malformed input that leads to a filesystem operation failure, a database error, or a deliberately thrown exception in application code.
The error message may include interpolated secrets (e.g., database credentials, API tokens) if the exception was constructed with those values.
The stack trace reveals absolute filesystem paths (e.g., /var/www/config/db.yml), vendor directories, and internal class/method names.
No debug mode is required; the behavior is default.
Proof of concept: accessing a route that forces an exception (e.g., /poc5/error) returns a 500 page with paths like `/home/user/app/vendor/flightphp/core/flight/Engine.php` and any secret embedded in the message.
The handler also auto‑raises exceptions from handleError(), turning PHP warnings/notices into full stack‑trace disclosures.
This leakage primes attackers for path traversal, local file inclusion (LFI), and further enumeration of the server’s filesystem and installed packages.
The patch (commit b8dd23a, version 3.18.1) introduces a `flight.debug` setting (default false).
When false, the handler emits only a generic `

500 Internal Server Error

` with no details.
Developers must explicitly set `flight.debug = true` in local environments to restore verbose tracing.

The vulnerability was discovered by @Rootingg.

dailycve form:

Platform: FlightPHP
Version: <=3.18.0
Vulnerability: Full path disclosure
Severity: Medium
date: 2026-05-06

Prediction: Already patched (3.18.1)

What Undercode Say:

Trigger error disclosure via malformed request
curl -v "http://target.com/poc5/error"
Extract leaked absolute paths and secrets from response
curl -s "http://target.com/poc5/error" | grep -E '(/home/|/var/www/|token=|secret|password)'
Check if vulnerable version is installed
composer show flightphp/core | grep -E 'versions|3.18.0'
Verify flight.debug setting (production should be false)
grep -r "flight.debug" /path/to/app/config/

How Exploit:

  1. Identify endpoints that throw uncaught exceptions (e.g., missing files, invalid DB queries, malformed input).
  2. Send crafted requests to force an exception – for example, request a non‑existent route or supply a path traversal string like ../../config/db.yml.
  3. Capture the HTTP 500 response and extract absolute filesystem paths, vendor directory structure, and any secrets (API keys, DB credentials) present in the exception message.
  4. Use leaked paths (e.g., /var/www/config/db.yml) for LFI attacks or further reconnaissance.
  5. Combine with other weaknesses (e.g., file upload, include functions) to read arbitrary files or escalate privileges.

Protection from this CVE:

  • Upgrade to FlightPHP 3.18.1 or later immediately (composer update flightphp/core).
  • If patching is not possible, manually edit `flight/Engine.php` and wrap `_error()` output in a `if (isset($this->get(‘flight.debug’)) && $this->get(‘flight.debug’) === true)` condition.
  • Set `flight.debug = false` in production environment (this is the default after patch).
  • Ensure no custom error handlers override the patched method to re‑enable verbose output.
  • Regularly review exception messages in code to avoid embedding secrets into thrown exceptions.

Impact:

  • Disclosure of absolute filesystem paths, enabling precise LFI and path traversal attacks.
  • Leakage of database credentials, API tokens, or other secrets if they appear in exception messages.
  • Enumeration of installed vendor packages and internal application file hierarchy.
  • Information that can be chained with other vulnerabilities (e.g., SQL injection, file inclusion) to fully compromise the server.
  • No authentication required; any unauthenticated user can trigger the disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top