Advisories for Composer/James-Heinrich/Phpthumb package

2025

phpThumb is vulnerable to Command Injection through its gif_outputAsJpeg function

gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709.

2022

phpThumb is vulnerable to Server-Side Request Forgery (SSRF)

The default configuration of phpThumb before 1.7.12 has a false value for the disable_debug option, which allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks via the src parameter.