CVE-2025-59050
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-10-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgreenshot | greenshot | to 1.3.301 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Greenshot 1.3.300 and earlier involves unsafe deserialization of attacker-controlled data received via the WM_COPYDATA Windows message. Greenshot uses .NET's BinaryFormatter.Deserialize on data from WM_COPYDATA without validating or authenticating it first. Because the authorization check happens after deserialization, an attacker running a local process at the same integrity level can send a crafted message that triggers arbitrary code execution inside the Greenshot process. This occurs in a WinForms WndProc handler that processes WM_COPYDATA messages, copying bytes into a MemoryStream and deserializing them unsafely. The vulnerability allows execution of malicious payloads within the trusted Greenshot.exe process. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows a local attacker with the same integrity level as Greenshot to execute arbitrary code inside the Greenshot process without requiring privileges or user interaction. Because the code runs within a trusted, signed process, it can evade application control policies like AppLocker or Windows Defender Application Control that monitor process creation rather than in-process code execution. The impact includes high confidentiality, integrity, and availability risks, enabling stealthy persistence, lateral movement, and potentially full system compromise within an enterprise environment. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious WM_COPYDATA messages sent to the Greenshot main window, especially those containing serialized payloads using BinaryFormatter. Detection involves identifying processes sending WM_COPYDATA messages to Greenshot.exe and analyzing the message contents for unexpected or malicious serialized data. Since the attack is local and involves Windows messages, network detection is not applicable. On the system, you can use tools like Spy++ or similar Windows message monitoring utilities to watch WM_COPYDATA messages sent to Greenshot. Additionally, you can use PowerShell or other scripting tools to enumerate windows and send test WM_COPYDATA messages to verify if the system is running a vulnerable version. Example commands include using PowerShell to find the Greenshot window handle and monitor or log WM_COPYDATA messages, but no specific built-in command is provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Greenshot to version 1.3.301 or later, where the vulnerability is fixed by restricting deserialization to a safe whitelist of types via a custom SafeSerializationBinder. No known workarounds exist. Until the update is applied, limit local access to the system to trusted users only, as the vulnerability requires a local process at the same integrity level to send WM_COPYDATA messages. Running Greenshot with the least privileges possible and monitoring for suspicious local activity may help reduce risk, but the definitive fix is upgrading to the patched version. [1, 2]