CVE-2025-63950

Name of the Vulnerable Software and Affected Versions to3k Twittodon versions prior to commit b1c58a7d1dc664b38deb486ca290779621342c0b

Description An insecure deserialization issue exists in the download.php script of the to3k Twittodon application. The obj parameter accepts base64-encoded data which is then passed to the unserialize() function without proper validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, potentially causing a denial of service.

Recommendations Versions prior to commit b1c58a7d1dc664b38deb486ca290779621342c0b should be updated. As a temporary workaround, consider restricting access to the download.php script until a patch is available. Ensure the obj parameter is properly validated before being passed to the unserialize() function.