CVE-2025-44137 is a directory traversal vulnerability found in MapTiler Tileserver-php version 2.0. The vulnerability exists in the renderTile function within the tileserver.php file, which is responsible for delivering map tiles stored as files on the server in response to web requests. The function constructs file paths based on user-supplied GET parameters: TileMatrix, TileRow, TileCol, and Format. Due to insufficient input validation or sanitization, an attacker can insert directory traversal sequences such as "../" into these parameters. This allows the attacker to manipulate the file path and access arbitrary files on the web server outside the intended tile directory. Exploiting this vulnerability could enable unauthorized reading of sensitive files, including configuration files, source code, or other data stored on the server. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and could be targeted by attackers once details become widely known. The vulnerability does not require authentication or user interaction, increasing its risk. The lack of a CVSS score means severity must be assessed based on the potential impact and ease of exploitation. Directory traversal vulnerabilities are typically critical or high severity because they can lead to information disclosure and potentially facilitate further attacks such as code execution if sensitive files are exposed. The affected product, MapTiler Tileserver-php, is used to serve map tiles in web mapping applications, which are common in geographic information systems (GIS), location-based services, and other spatial data platforms.

For European organizations, this vulnerability poses a significant risk to any entity using MapTiler Tileserver-php v2.0 to serve map tiles. Potential impacts include unauthorized disclosure of sensitive internal files, which may contain credentials, internal network information, or proprietary data. This can lead to further exploitation, including lateral movement within networks or targeted attacks on critical infrastructure. Organizations in sectors such as government, transportation, utilities, and urban planning that rely heavily on GIS and mapping services are particularly at risk. The exposure of sensitive geospatial data or internal configurations could compromise operational security and privacy. Additionally, attackers could leverage disclosed information to craft more sophisticated attacks or disrupt services. Since the vulnerability can be exploited remotely without authentication, it increases the attack surface and the likelihood of exploitation. The absence of a patch or mitigation guidance in the provided information further elevates the risk for organizations that have not implemented compensating controls.

To mitigate this vulnerability, organizations should first verify if they are using MapTiler Tileserver-php version 2.0 or earlier versions that may be affected. Immediate steps include implementing strict input validation and sanitization on the TileMatrix, TileRow, TileCol, and Format GET parameters to prevent directory traversal sequences such as "../". Web application firewalls (WAFs) can be configured to detect and block requests containing suspicious path traversal patterns. Restricting file system permissions to ensure the web server process has access only to necessary directories can limit the impact of exploitation. Monitoring and logging access to the tileserver.php endpoint for anomalous requests can help detect exploitation attempts. If possible, isolating the tileserver environment from critical internal systems reduces risk. Organizations should also engage with MapTiler for official patches or updates addressing this vulnerability and apply them promptly once available. Until a patch is released, consider disabling the tileserver or restricting access to trusted networks only. Regular security assessments and code reviews of web-facing services are recommended to identify similar vulnerabilities proactively.