CVE-2025-64205 in Jannah Plugin
Summary
by MITRE • 12/18/2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/21/2026
The CVE-2025-64205 vulnerability represents a critical security flaw in the TieLabs Jannah jannah content management system that exposes users to remote file inclusion attacks through improper handling of filename parameters in include/require statements. This vulnerability falls under the broader category of PHP Remote File Inclusion (RFI) attacks, which have been consistently categorized by CWE-88 as improper control of filename for include/require statements. The flaw specifically affects versions of Jannah from the initial release through version 7.6.0, creating a substantial attack surface that could compromise entire web applications.
The technical implementation of this vulnerability occurs when the application fails to properly validate or sanitize user input that is subsequently used in PHP include or require statements. When an attacker can manipulate parameters that control which files are included, they can potentially execute arbitrary code on the server by including malicious files from remote locations or local system files. This weakness creates a direct pathway for attackers to escalate privileges, access sensitive data, or establish persistent backdoors within the affected system. The vulnerability is particularly dangerous because it allows for local file inclusion attacks, meaning attackers can leverage the system's file access capabilities to read system files, potentially including configuration files, database credentials, or other sensitive information.
The operational impact of CVE-2025-64205 extends far beyond simple data theft, as it provides attackers with a fundamental foothold for further exploitation within the target environment. According to ATT&CK framework category T1190 for Exploit Public-Facing Application, this vulnerability represents a common attack vector that allows adversaries to gain initial access to systems. The implications include potential data breaches, system compromise, and unauthorized access to administrative functions. Organizations running affected versions of Jannah face significant risk of unauthorized code execution, which could lead to complete system takeover and data exfiltration. The vulnerability's classification as a local file inclusion issue means that attackers can potentially access system files that contain sensitive information such as database connection strings, application secrets, or user credentials stored in configuration files.
Mitigation strategies for CVE-2025-64205 must address both immediate remediation and long-term security hardening measures. The primary recommendation involves upgrading to a patched version of Jannah beyond 7.6.0, as this represents the most direct solution to the vulnerability. Additionally, implementing proper input validation and sanitization techniques should be enforced throughout the application codebase, particularly in areas where file inclusion operations occur. Security practitioners should also consider implementing web application firewalls with rules specifically designed to detect and block suspicious include/require parameter patterns. According to industry best practices, developers should avoid using user-controllable variables directly in include/require statements and instead implement whitelisting mechanisms that only permit known safe file paths. The ATT&CK framework suggests that organizations should maintain up-to-date vulnerability assessments and implement proper access controls to limit the potential impact of such vulnerabilities. Regular security audits and code reviews focusing on file inclusion patterns can help identify and remediate similar weaknesses before they can be exploited by malicious actors.