CVE-2025-44137 is a directory traversal vulnerability identified in MapTiler Tileserver-php version 2.0. The vulnerability resides in the renderTile function within the tileserver.php file, which is responsible for delivering map tiles stored as files on the server in response to web requests. The function constructs file paths based on user-supplied GET parameters: TileMatrix, TileRow, TileCol, and Format. Due to insufficient input validation, an attacker can inject directory traversal sequences such as '../' into these parameters, enabling them to access files outside the intended tile directories. This flaw allows unauthorized reading of arbitrary files on the web server, potentially exposing sensitive configuration files, credentials, or other critical data. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score of 8.2 reflects the vulnerability's high impact on confidentiality and integrity, with no impact on availability. Although no known exploits are reported in the wild yet, the ease of exploitation and the sensitive nature of data accessible through this flaw make it a significant threat. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). No official patches or fixes are currently listed, emphasizing the need for immediate mitigation efforts by affected users.

For European organizations, this vulnerability poses a serious risk of unauthorized disclosure of sensitive information hosted on web servers running MapTiler Tileserver-php v2.0. Organizations using this software for geospatial data delivery, including government agencies, urban planning departments, transportation networks, and critical infrastructure operators, could have confidential files exposed, leading to potential espionage, data leaks, or further exploitation. The ability to read arbitrary files without authentication increases the attack surface and could facilitate subsequent attacks such as credential theft or lateral movement within networks. The impact is particularly critical for entities handling personal data or strategic infrastructure mapping, as exposure could violate GDPR and other data protection regulations, resulting in legal and reputational consequences. Additionally, attackers could leverage the vulnerability to gather intelligence on system configurations and security controls, aiding in more sophisticated attacks.

Immediate mitigation should focus on implementing strict input validation and sanitization for the TileMatrix, TileRow, TileCol, and Format GET parameters to disallow directory traversal sequences such as '../'. Employ whitelisting approaches that only accept expected numeric or predefined string values corresponding to valid tile coordinates and formats. If possible, restrict file system access permissions for the tileserver process to limit exposure of sensitive files outside the tile directories. Monitor web server logs for suspicious requests containing traversal patterns. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block directory traversal attempts targeting these parameters. Organizations should track MapTiler's official channels for patches or updates addressing this vulnerability and apply them promptly once available. Conduct internal audits to identify all instances of Tileserver-php deployments and prioritize remediation based on exposure and criticality. Consider isolating the tileserver environment from other sensitive systems to reduce lateral movement risk.