CVE-2025-34292
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter formkit_memory_recovery in \RoxPostHandler::getCallbackAction and the 'memory cookie' read by \RoxModelBase::getMemoryCookie (bwRemember). (1) If present, formkit_memory_recovery is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| BeWelcome | Rox | 0 < c60bf04c2464c4bfb6cfed6372a2890ca2d0c585 | affected |
Weaknesses
- CWE-502: CWE-502 Deserialization of Untrusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/BeWelcome/rox
- https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398
- https://github.com/BeWelcome/rox/commit/c60bf04
- https://www.vulncheck.com/advisories/rox-php-object-injection-rce
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.