CVE-2025-55010
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kanboard | kanboard | to 1.2.47 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unsafe deserialization issue in Kanboard prior to version 1.2.47. It occurs in the ProjectActivityEventFormatter component, where admin users can modify the event["data"] field in the project_activities table to include malicious PHP serialized objects. When this data is deserialized, it allows the attacker to instantiate arbitrary PHP objects, which can be exploited to write a web shell into the /plugins folder. This web shell enables remote code execution on the host system. The vulnerability arises because the application unserializes PHP data without proper validation, allowing execution of malicious code. [2]
How can this vulnerability impact me? :
This vulnerability can lead to critical impacts including arbitrary remote code execution on the host system with the privileges of the PHP process user. An attacker with admin access can write a web shell to the /plugins directory, enabling them to execute system commands remotely. This can result in full filesystem access, persistence of the web shell across restarts, data exfiltration, tampering, or denial of service. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking the project_activities database table for events where the event["data"] field contains PHP serialized data starting with 'a', which indicates potential exploitation. Specifically, look for entries with event_name 'comment.create' that have suspicious serialized payloads. Since the exploit writes a web shell into the /plugins directory (e.g., /plugins/test.php), scanning the /plugins folder for unexpected PHP files or recently modified files can also help detect compromise. Commands to assist detection include: 1) Querying the SQLite database for suspicious serialized data: sqlite3 kanboard.db "SELECT id, event_name, data FROM project_activities WHERE data LIKE 'a:%';" 2) Searching for unexpected PHP files in the plugins directory: find /path/to/kanboard/plugins -type f -name '*.php' -exec ls -l {} \; 3) Checking web server logs for access to suspicious PHP files under /plugins, e.g., grep '/plugins/' /var/log/apache2/access.log. These steps help identify if the vulnerability has been exploited or if malicious payloads exist. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade Kanboard to version 1.2.47 or later, where the unsafe deserialization vulnerability has been patched by disabling PHP unserialization of legacy event data. 2) Restrict admin access to trusted users only, as exploitation requires admin privileges. 3) Audit and remove any unauthorized PHP files in the /plugins directory that may have been uploaded via this exploit. 4) Monitor and secure the project_activities database to prevent unauthorized modifications. 5) Consider temporarily disabling or restricting access to the project activities page until the patch is applied to prevent triggering the deserialization. These steps reduce the risk of remote code execution and limit potential damage. [1, 2]