{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-34292", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.581Z", "datePublished": "2025-10-27T14:36:52.888Z", "dateUpdated": "2025-10-27T15:56:11.101Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Rox", "repo": "https://github.com/BeWelcome/rox", "vendor": "BeWelcome", "versions": [{"lessThan": "commit c60bf04", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bewelcome:rox:*:*:*:*:*:*:*:*", "versionEndExcluding": "commit_c60bf04", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Rox, the software running BeWelcome,&nbsp;contains a PHP object injection vulnerability&nbsp;resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\\\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;remediated with commit </span><span style=\"background-color: rgb(255, 255, 255);\">c60bf04 (2025-06-16).</span><br>"}], "value": "Rox, the software running BeWelcome,\u00a0contains a PHP object injection vulnerability\u00a0resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\\\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was\u00a0remediated with commit c60bf04 (2025-06-16)."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-10-27T15:09:28.592Z"}, "references": [{"tags": ["product"], "url": "https://github.com/BeWelcome/rox"}, {"tags": ["technical-description", "exploit"], "url": "https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398"}, {"tags": ["patch"], "url": "https://github.com/BeWelcome/rox/commit/c60bf04"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/rox-php-object-injection-rce"}], "source": {"discovery": "UNKNOWN"}, "title": "Rox PHP Object Injection RCE", "x_generator": {"engine": "Vulnogram 0.4.0"}}, "adp": [{"references": [{"url": "https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:19:37.331902Z", "id": "CVE-2025-34292", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:56:11.101Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34292", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-27T15:19:37.331902Z"}}}], "references": [{"url": "https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:19:54.277Z"}}], "cna": {"title": "Rox PHP Object Injection RCE", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/BeWelcome/rox", "vendor": "BeWelcome", "product": "Rox", "versions": [{"status": "affected", "version": "0", "lessThan": "commit c60bf04", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/BeWelcome/rox", "tags": ["product"]}, {"url": "https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/BeWelcome/rox/commit/c60bf04", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/rox-php-object-injection-rce", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.4.0"}, "descriptions": [{"lang": "en", "value": "Rox, the software running BeWelcome,\u00a0contains a PHP object injection vulnerability\u00a0resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\\\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was\u00a0remediated with commit c60bf04 (2025-06-16).", "supportingMedia": [{"type": "text/html", "value": "Rox, the software running BeWelcome,&nbsp;contains a PHP object injection vulnerability&nbsp;resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\\\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;remediated with commit </span><span style=\"background-color: rgb(255, 255, 255);\">c60bf04 (2025-06-16).</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bewelcome:rox:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "commit_c60bf04", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-10-27T15:09:28.592Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34292", "state": "PUBLISHED", "dateUpdated": "2025-10-27T15:56:11.101Z", "dateReserved": "2025-04-15T19:15:22.581Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-10-27T14:36:52.888Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rox, the software running BeWelcome,\u00a0contains a PHP object injection vulnerability\u00a0resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\\\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was\u00a0remediated with commit c60bf04 (2025-06-16)."}], "id": "CVE-2025-34292", "lastModified": "2025-10-27T16:15:39.850", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-10-27T15:15:38.317", "references": [{"source": "disclosure@vulncheck.com", "url": "https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/BeWelcome/rox"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/BeWelcome/rox/commit/c60bf04"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/rox-php-object-injection-rce"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{}