CVE-2025-34292
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-10-30

Assigner: VulnCheck

Description
Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34292
EUVD
EUVD-2025-36182
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bewelcome rox *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34292 is a critical PHP object injection vulnerability in Rox, the software running BeWelcome. It arises from unsafe deserialization of untrusted data, where user-controlled input is passed directly to PHP's unserialize() function without proper validation. Specifically, the POST parameter 'formkit_memory_recovery' and the 'memory cookie' (bwRemember) are deserialized, enabling attackers to exploit existing gadget chains in Rox and its bundled libraries to perform arbitrary file writes or remote code execution (RCE). This can lead to full site compromise. Exploitation requires an authenticated session and involves crafting serialized payloads that bypass input transformations. [2, 3]

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary PHP code on the server, potentially leading to remote code execution. Attackers can write arbitrary files or fully compromise the site, which may result in data breaches, service disruption, or unauthorized control over the affected system. The impact is critical, with a CVSS v4 base score of 9.4, indicating high severity and exploitability with low attack complexity and no user interaction required. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for HTTP POST requests containing the parameter `formkit_memory_recovery` with suspicious serialized PHP object payloads, especially targeting endpoints like `/polls`. Additionally, inspecting cookies named `bwRemember` for unsafe serialized data can help identify attempts to exploit the flaw. Detection can involve capturing and analyzing HTTP traffic for these indicators. A practical approach includes using tools like curl or wget to send crafted payloads to test for unsafe unserialize() handling, or using scripts similar to the provided proof-of-concept bash script (`rox_poc.sh`) that automates login, CSRF token retrieval, and payload delivery to verify vulnerability. Example commands to test might include sending a POST request with a serialized payload to the vulnerable endpoint and observing the response or server behavior. For instance: `curl -X POST -d 'formkit_memory_recovery=<serialized_payload>' https://targetsite/polls -b 'session_cookie=...'` where `<serialized_payload>` is a crafted PHP serialized object chain. Monitoring logs for unexpected file writes or command execution traces can also indicate exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include applying the official fix committed on 2025-06-16 (commit c60bf04) which restricts unsafe deserialization. Until the fix is deployed, restrict access to vulnerable endpoints requiring authentication to limit exploitation. Disable or restrict PHP object deserialization by using the `allowed_classes` option in `unserialize()` to whitelist safe classes or disable object deserialization entirely. Prefer replacing PHP serialization with safer alternatives such as `json_encode()`/`json_decode()`. Additionally, monitor and block suspicious POST requests containing the `formkit_memory_recovery` parameter and validate or sanitize all user inputs rigorously. Deploy the patched version of Rox as soon as possible to fully remediate the vulnerability. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart