PT-2025-43965 · Rox · Rox
Drew Webber
·
Published
2025-10-27
·
Updated
2025-10-27
·
CVE-2025-34292
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Rox (affected versions not specified)
Description
The software contains a PHP object injection issue due to deserialization of untrusted data. User-controlled input, specifically the
formkit memory recovery POST parameter in RoxPostHandler::getCallbackAction and the 'memory cookie' read by RoxModelBase::getMemoryCookie (bwRemember), is processed by PHP's unserialize() function. Gadget chains within Rox and its bundled libraries allow exploitation of this object injection to write arbitrary files or achieve remote code execution, potentially leading to full site compromise.Recommendations
Update to a version after commit c60bf04 (2025-06-16).
Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rox