CVE-2025-49597
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-13

Last updated on: 2025-06-16

Assigner: GitHub, Inc.

Description
handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The problem is patched with Version 1.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-13
Last Modified
2025-06-16
Generated
2026-05-07
AI Q&A
2025-06-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49597
EUVD
EUVD-2025-18300
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the PHP class CallbackCollection in the goodby-csv library being unserializable, which can be exploited as part of a gadget chain when an application insecurely deserializes untrusted data. While the gadget chain itself does not directly cause harm, it can be used to achieve remote code execution if combined with another vulnerability that allows unsafe unserialize() calls. The issue is fixed by adding a __wakeup() method that prevents unserialization of the CallbackCollection class, throwing an exception if attempted. [1, 2]


How can this vulnerability impact me? :

If your application uses goodby-csv versions up to 1.4.2 and also insecurely deserializes untrusted data, this vulnerability could be exploited to achieve remote code execution through a gadget chain involving the CallbackCollection class. However, the vulnerability alone does not pose a direct threat and requires another flaw in the application to be exploitable. The impact includes potential low-level confidentiality, integrity, and availability risks, but exploitation complexity is high and requires local access with high privileges. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability relates to unsafe deserialization of the CallbackCollection class in goodby-csv versions prior to 1.4.3. Detection involves checking if your application uses goodby-csv version 1.4.2 or earlier and whether it deserializes untrusted data using PHP's unserialize() function. You can detect the vulnerable version by running commands like `composer show handcraftedinthealps/goodby-csv` or inspecting your composer.lock file. Additionally, searching your codebase for usage of unserialize() on untrusted input can help identify potential exposure. There are no specific network detection commands since the vulnerability requires local conditions and unsafe deserialization in the application. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to upgrade the goodby-csv library to version 1.4.3 or later, where the vulnerability is patched by adding a __wakeup() method to the CallbackCollection class that prevents unserialization. If upgrading is not immediately possible, you can manually patch the CallbackCollection.php file by adding the __wakeup() method that throws a BadMethodCallException to block unserialization attempts. Also, ensure your application does not unserialize untrusted data to prevent exploitation. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart