Nette framework PHP code injection via callback
Description
The Nette Framework contains a remote code execution vulnerability in nette/application (versions prior to 2.2.10, 2.3.14, 2.4.16, and 3.0.6) and nette/nette (versions prior to 2.0.19 and 2.1.13). Attackers can inject and execute arbitrary PHP code by crafting malicious URL parameters that exploit improper validation of callback functions. This vulnerability allows unauthenticated remote attackers to compromise affected applications without requiring user interaction.
Remediation
Immediately upgrade to a patched version of the affected packages:
For nette/application: Upgrade to version 2.2.10, 2.3.14, 2.4.16, 3.0.6 or later depending on your major version branch.
For nette/nette: Upgrade to version 2.0.19, 2.1.13 or later depending on your major version branch.
Update your composer.json file and run the following commands:
composer require nette/application:^3.0.6 composer update nette/application
After upgrading, verify the installed version using:
composer show nette/application
Review application logs for any suspicious URL patterns or callback parameters that may indicate exploitation attempts. If upgrading is not immediately possible, implement strict input validation and consider restricting access to the application until patches can be applied.