CVE-2025-28916 identifies a Local File Inclusion (LFI) vulnerability in the Rashid Docpro product, specifically in versions up to and including 2.0.1. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements. In PHP applications, include and require functions are used to incorporate and execute code from other files. When user input is directly used to determine the filename without adequate validation or sanitization, attackers can manipulate the input to include unintended local files from the server. This can lead to disclosure of sensitive files such as configuration files, password files, or application source code, and in some cases, it can be chained with other vulnerabilities to achieve remote code execution. Although the description mentions 'PHP Remote File Inclusion,' the actual issue is a Local File Inclusion vulnerability, which is generally easier to exploit when remote file inclusion protections are in place. The vulnerability affects Docpro versions from initial releases through 2.0.1. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved and published in March 2025 by Patchstack. The absence of a CVSS score indicates that the severity has not been formally assessed, but the technical nature of the flaw suggests significant risk. This vulnerability requires no authentication, making it accessible to unauthenticated attackers if the vulnerable endpoint is exposed. Exploitation may require user interaction depending on the application workflow. The vulnerability is categorized under improper input validation leading to insecure file inclusion, a common and dangerous web application security flaw.

The primary impact of CVE-2025-28916 is unauthorized disclosure of sensitive information and potential compromise of system integrity. Attackers exploiting this vulnerability can read arbitrary files on the server, which may include configuration files containing database credentials, private keys, or other sensitive data. This can lead to further attacks such as privilege escalation, lateral movement, or full system compromise. In some scenarios, LFI can be leveraged to execute arbitrary code if combined with other vulnerabilities or if the attacker can upload malicious files. The vulnerability affects all organizations using Rashid Docpro up to version 2.0.1, particularly those exposing the vulnerable PHP endpoints to the internet. This can impact confidentiality, integrity, and availability of affected systems. The lack of known exploits in the wild currently reduces immediate risk, but the vulnerability's presence in a document management system used in enterprises and government sectors increases the potential for targeted attacks. Organizations handling sensitive documents or regulated data are at higher risk of severe consequences including data breaches, compliance violations, and reputational damage.

1. Apply patches or updates from Rashid as soon as they become available to address this vulnerability. 2. In the absence of an official patch, implement strict input validation and sanitization on all user-supplied parameters that influence file inclusion logic. Use whitelisting approaches to restrict included files to a predefined set of safe files. 3. Employ PHP configuration directives such as 'open_basedir' to limit the directories accessible to PHP scripts, reducing the risk of arbitrary file inclusion. 4. Disable remote file inclusion settings in PHP (e.g., 'allow_url_include' set to Off) to prevent remote file inclusion attacks. 5. Conduct thorough code reviews and security testing focusing on file inclusion mechanisms within Docpro. 6. Monitor web server logs and application logs for suspicious requests attempting to exploit file inclusion. 7. Use Web Application Firewalls (WAFs) with rules designed to detect and block LFI attack patterns. 8. Restrict access to Docpro interfaces to trusted networks or VPNs where possible to reduce exposure. 9. Educate developers and administrators about secure coding practices related to file inclusion and input handling. 10. Regularly backup critical data and maintain incident response plans to quickly react to potential exploitation.