CVE-2025-34292 (GCVE-0-2025-34292)

Vulnerability from cvelistv5 – Published: 2025-10-27 14:36 – Updated: 2025-10-27 21:09
VLAI?
Title
BeWelcome/Rox PHP Object Injection RCE
Summary
Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).
Severity ?
9.4 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE
  • CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
Vendor Product Version
BeWelcome Rox Affected: 0 , < commit c60bf04 (custom)
Create a notification for this product.
Credits
Drew Webber (mcdruid)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-34292",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-27T15:19:37.331902Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-27T15:56:11.101Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Rox",
          "repo": "https://github.com/BeWelcome/rox",
          "vendor": "BeWelcome",
          "versions": [
            {
              "lessThan": "commit c60bf04",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:bewelcome:rox:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "commit_c60bf04",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Drew Webber (mcdruid)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Rox, the software running BeWelcome,\u0026nbsp;contains a PHP object injection vulnerability\u0026nbsp;resulting from deserialization of untrusted data. User-controlled input is passed to PHP\u0027s unserialize(): the POST parameter `formkit_memory_recovery` in \\\\RoxPostHandler::getCallbackAction and the \u0027memory cookie\u0027 read by \\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;remediated with commit \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ec60bf04 (2025-06-16).\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Rox, the software running BeWelcome,\u00a0contains a PHP object injection vulnerability\u00a0resulting from deserialization of untrusted data. User-controlled input is passed to PHP\u0027s unserialize(): the POST parameter `formkit_memory_recovery` in \\\\RoxPostHandler::getCallbackAction and the \u0027memory cookie\u0027 read by \\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was\u00a0remediated with commit c60bf04 (2025-06-16)."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-27T21:09:42.910Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/BeWelcome/rox"
        },
        {
          "tags": [
            "technical-description",
            "exploit"
          ],
          "url": "https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/BeWelcome/rox/commit/c60bf04"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/rox-php-object-injection-rce"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "BeWelcome/Rox PHP Object Injection RCE",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-34292",
    "datePublished": "2025-10-27T14:36:52.888Z",
    "dateReserved": "2025-04-15T19:15:22.581Z",
    "dateUpdated": "2025-10-27T21:09:42.910Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-34292\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-10-27T15:15:38.317\",\"lastModified\":\"2025-10-30T15:05:50.613\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rox, the software running BeWelcome,\u00a0contains a PHP object injection vulnerability\u00a0resulting from deserialization of untrusted data. User-controlled input is passed to PHP\u0027s unserialize(): the POST parameter `formkit_memory_recovery` in \\\\\\\\RoxPostHandler::getCallbackAction and the \u0027memory cookie\u0027 read by \\\\\\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was\u00a0remediated with commit c60bf04 (2025-06-16).\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://github.com/BeWelcome/rox\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://github.com/BeWelcome/rox/commit/c60bf04\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.vulncheck.com/advisories/rox-php-object-injection-rce\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-34292\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-27T15:19:37.331902Z\"}}}], \"references\": [{\"url\": \"https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-27T15:19:54.277Z\"}}], \"cna\": {\"title\": \"BeWelcome/Rox PHP Object Injection RCE\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Drew Webber (mcdruid)\"}], \"impacts\": [{\"capecId\": \"CAPEC-586\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-586 Object Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/BeWelcome/rox\", \"vendor\": \"BeWelcome\", \"product\": \"Rox\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"commit c60bf04\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/BeWelcome/rox\", \"tags\": [\"product\"]}, {\"url\": \"https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398\", \"tags\": [\"technical-description\", \"exploit\"]}, {\"url\": \"https://github.com/BeWelcome/rox/commit/c60bf04\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.vulncheck.com/advisories/rox-php-object-injection-rce\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.4.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Rox, the software running BeWelcome,\\u00a0contains a PHP object injection vulnerability\\u00a0resulting from deserialization of untrusted data. User-controlled input is passed to PHP\u0027s unserialize(): the POST parameter `formkit_memory_recovery` in \\\\\\\\RoxPostHandler::getCallbackAction and the \u0027memory cookie\u0027 read by \\\\\\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was\\u00a0remediated with commit c60bf04 (2025-06-16).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Rox, the software running BeWelcome,\u0026nbsp;contains a PHP object injection vulnerability\u0026nbsp;resulting from deserialization of untrusted data. User-controlled input is passed to PHP\u0027s unserialize(): the POST parameter `formkit_memory_recovery` in \\\\\\\\RoxPostHandler::getCallbackAction and the \u0027memory cookie\u0027 read by \\\\\\\\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;remediated with commit \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ec60bf04 (2025-06-16).\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:bewelcome:rox:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"commit_c60bf04\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-10-27T21:09:42.910Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-34292\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-27T21:09:42.910Z\", \"dateReserved\": \"2025-04-15T19:15:22.581Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2025-10-27T14:36:52.888Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.