CVE-2025-58163
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-09-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.186 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in FreeScout (versions 1.8.185 and earlier) involves unsafe deserialization of untrusted data. Authenticated attackers who know the application's APP_KEY can exploit an endpoint by sending specially crafted parameters that are decrypted and then unserialized without proper validation. This allows attackers to inject malicious serialized PHP objects, leading to remote code execution. The issue arises because the decrypt function in app/Helper.php automatically unserializes decrypted data, which can contain harmful payloads. This vulnerability is fixed in version 1.8.186 by changing the decrypt function to avoid automatic unserialization unless explicitly intended. [1, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with high privileges and knowledge of the APP_KEY to execute arbitrary code remotely on the FreeScout server. This can lead to full compromise of the system, including unauthorized access, data manipulation, and disruption of service. The impact includes high confidentiality, integrity, and availability risks, meaning sensitive data could be exposed or altered, and the service could be rendered unavailable. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for suspicious HTTP GET requests to the vulnerable endpoint pattern `/help/{mailbox_id}/auth/{customer_id}/{hash}/{timestamp}` with unusual or crafted values in the `customer_id` and `timestamp` parameters that may indicate attempts to exploit the deserialization vulnerability. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such patterns. Additionally, reviewing application logs for unexpected decrypt or unserialize errors in `app/Helper.php` may help identify exploitation attempts. Specific commands depend on your environment, but for example, using tools like `tcpdump` or `ngrep` to filter HTTP requests to the endpoint, e.g.: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/help/'` or using `grep` on web server logs for `/help/` requests with suspicious parameters can be useful. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.186 or later, where the vulnerability is fixed by disabling automatic unserialization of decrypted data in the `Helper::decrypt()` function. If upgrading is not immediately possible, restrict access to the vulnerable endpoint to trusted users only, ensure the APP_KEY is kept secret, and monitor for suspicious activity targeting the endpoint. Applying the patch from the commit that modifies the decrypt function to prevent unsafe unserialization is also recommended. [1, 2, 3]