CVE-2025-25034

Name of the Vulnerable Software and Affected Versions: SugarCRM versions prior to 6.5.24 SugarCRM versions prior to 6.7.13 SugarCRM versions prior to 7.5.2.5 SugarCRM versions prior to 7.6.2.2 SugarCRM versions prior to 7.7.1.0

Description: A PHP object injection issue exists due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. A prior fix was incomplete and failed to address some vectors.

Recommendations: For versions prior to 6.5.24, update to version 6.5.24 or later. For versions prior to 6.7.13, update to version 6.7.13 or later. For versions prior to 7.5.2.5, update to version 7.5.2.5 or later. For versions prior to 7.6.2.2, update to version 7.6.2.2 or later. For versions prior to 7.7.1.0, update to version 7.7.1.0 or later. As a temporary workaround, consider disabling the unserialize() function for the rest data parameter in the SugarRestSerialize.php script until a patch is available.