CVE-2025-34292
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-10-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bewelcome | rox | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34292 is a critical PHP object injection vulnerability in Rox, the software running BeWelcome. It arises from unsafe deserialization of untrusted data, where user-controlled input is passed directly to PHP's unserialize() function without proper validation. Specifically, the POST parameter 'formkit_memory_recovery' and the 'memory cookie' (bwRemember) are deserialized, enabling attackers to exploit existing gadget chains in Rox and its bundled libraries to perform arbitrary file writes or remote code execution (RCE). This can lead to full site compromise. Exploitation requires an authenticated session and involves crafting serialized payloads that bypass input transformations. [2, 3]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary PHP code on the server, potentially leading to remote code execution. Attackers can write arbitrary files or fully compromise the site, which may result in data breaches, service disruption, or unauthorized control over the affected system. The impact is critical, with a CVSS v4 base score of 9.4, indicating high severity and exploitability with low attack complexity and no user interaction required. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP POST requests containing the parameter `formkit_memory_recovery` with suspicious serialized PHP object payloads, especially targeting endpoints like `/polls`. Additionally, inspecting cookies named `bwRemember` for unsafe serialized data can help identify attempts to exploit the flaw. Detection can involve capturing and analyzing HTTP traffic for these indicators. A practical approach includes using tools like curl or wget to send crafted payloads to test for unsafe unserialize() handling, or using scripts similar to the provided proof-of-concept bash script (`rox_poc.sh`) that automates login, CSRF token retrieval, and payload delivery to verify vulnerability. Example commands to test might include sending a POST request with a serialized payload to the vulnerable endpoint and observing the response or server behavior. For instance: `curl -X POST -d 'formkit_memory_recovery=<serialized_payload>' https://targetsite/polls -b 'session_cookie=...'` where `<serialized_payload>` is a crafted PHP serialized object chain. Monitoring logs for unexpected file writes or command execution traces can also indicate exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official fix committed on 2025-06-16 (commit c60bf04) which restricts unsafe deserialization. Until the fix is deployed, restrict access to vulnerable endpoints requiring authentication to limit exploitation. Disable or restrict PHP object deserialization by using the `allowed_classes` option in `unserialize()` to whitelist safe classes or disable object deserialization entirely. Prefer replacing PHP serialization with safer alternatives such as `json_encode()`/`json_decode()`. Additionally, monitor and block suspicious POST requests containing the `formkit_memory_recovery` parameter and validate or sanitize all user inputs rigorously. Deploy the patched version of Rox as soon as possible to fully remediate the vulnerability. [2]