CVE-2025-63950
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-19

Assigner: MITRE

Description
An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The 'obj' parameter receives base64-encoded data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, leading to a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-19
Generated
2026-05-07
AI Q&A
2025-12-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-63950
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
to3k twittodon *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an insecure deserialization issue in the download.php script of the to3k Twittodon application. The 'obj' parameter accepts base64-encoded data that is directly passed to the PHP unserialize() function without any validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, potentially causing a denial of service. [2]


How can this vulnerability impact me? :

The vulnerability can allow a remote attacker to inject arbitrary PHP objects into the application, which can lead to a denial of service. This means the application could crash or become unavailable, disrupting service for users. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart