CVE-2025-67084 Overview
A critical file upload vulnerability exists in InvoicePlane through version 1.6.3 that allows authenticated attackers to upload arbitrary PHP files into attachments. These malicious files can subsequently be executed remotely, leading to Remote Code Execution (RCE) on the affected server. This vulnerability represents a severe security risk as it enables attackers with valid credentials to completely compromise the underlying system.
Critical Impact
Authenticated attackers can achieve full Remote Code Execution by uploading and executing arbitrary PHP files through the attachment functionality, potentially leading to complete system compromise.
Affected Products
- InvoicePlane versions through 1.6.3
- All installations with file attachment functionality enabled
- Systems running PHP with standard web server configurations
Discovery Timeline
- 2026-01-15 - CVE CVE-2025-67084 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-67084
Vulnerability Analysis
This vulnerability is classified under CWE-616 (Incomplete Identification of Uploaded File Variables). The core issue stems from InvoicePlane's failure to properly validate and sanitize uploaded files within its attachment handling functionality. While the application requires authentication, once an attacker has valid credentials (even with minimal privileges), they can exploit the attachment upload feature to introduce malicious PHP code onto the server.
The attack surface is network-accessible, meaning remote attackers can exploit this vulnerability from anywhere with network access to the vulnerable InvoicePlane instance. The exploitation complexity is low, requiring only basic understanding of web application attacks and PHP execution.
Root Cause
The root cause of this vulnerability lies in insufficient file upload validation within InvoicePlane's attachment handling mechanism. The application fails to properly identify and restrict uploaded file types, allowing PHP files to be uploaded and stored in web-accessible directories. Specifically:
- The application does not adequately verify file extensions against a strict allowlist
- MIME type validation is either missing or can be easily bypassed
- Uploaded files are stored in locations that allow direct PHP execution
- No filename sanitization prevents the use of executable extensions like .php
Attack Vector
The attack vector involves an authenticated user exploiting the file attachment functionality to upload a malicious PHP file. The attacker crafts a PHP webshell or reverse shell payload, then uses the legitimate attachment upload feature to place this file on the server. Since the uploaded files are stored in web-accessible directories without proper execution restrictions, the attacker can then navigate directly to the uploaded file's URL to trigger PHP execution.
The attack flow typically involves:
- Authenticating to InvoicePlane with any valid user account
- Accessing a feature that allows file attachments (such as invoice attachments)
- Uploading a PHP file containing malicious code (potentially disguised or with manipulated headers)
- Determining or guessing the upload path where the file is stored
- Accessing the uploaded PHP file directly via its URL to execute arbitrary code
For technical implementation details, refer to the Helx Blog Advisory.
Detection Methods for CVE-2025-67084
Indicators of Compromise
- Presence of unexpected .php files in attachment upload directories
- Web server access logs showing direct requests to attachment storage paths with PHP file extensions
- Unusual process spawning from the web server process (e.g., bash, sh, cmd.exe)
- Outbound network connections originating from the web server to unknown external hosts
Detection Strategies
- Monitor file system writes in attachment directories for files with executable extensions (.php, .phtml, .php5, etc.)
- Implement web application firewall (WAF) rules to detect PHP content in file upload requests
- Review web server access logs for direct access attempts to attachment directories
- Deploy file integrity monitoring on upload directories to detect unauthorized file additions
Monitoring Recommendations
- Enable detailed logging for all file upload operations in InvoicePlane
- Configure alerts for any PHP file creation in web-accessible directories
- Monitor outbound network traffic from the web server for anomalous connections
- Implement process monitoring to detect unexpected child processes spawned by the web server
How to Mitigate CVE-2025-67084
Immediate Actions Required
- Upgrade InvoicePlane to a patched version when available from the InvoicePlane GitHub Repository
- Review all users with access to file upload functionality and remove unnecessary accounts
- Audit attachment directories for any existing malicious PHP files
- Implement network segmentation to limit the impact of potential compromise
Patch Information
As of the last update, organizations should monitor the official InvoicePlane GitHub Repository for security updates addressing this vulnerability. Review the Helx Blog Advisory for additional guidance and updates on patch availability.
Workarounds
- Configure the web server to disable PHP execution in upload/attachment directories using .htaccess rules or server configuration
- Implement strict file type validation at the web server level to block PHP file uploads
- Move attachment storage directories outside of the web root to prevent direct access
- Deploy a reverse proxy with strict content filtering to inspect and block malicious uploads
# Apache configuration to disable PHP execution in uploads directory
# Add to .htaccess in the attachments directory or Apache configuration
<Directory /path/to/invoiceplane/uploads/attachments>
php_admin_flag engine Off
<FilesMatch "\.ph(p[3457]?|t|tml)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
