CVE-2025-65035
Untrusted Deserialization in GLPI Database Inventory Plugin Allows RCE
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pluginsglpi | databaseinventory | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65035 is a Stored Object Injection vulnerability in the pluginsGLPI Database Inventory Plugin up to version 1.1.1. It occurs because user-controlled data is insecurely stored in the database via the 'computergroup' parameter and then unserialized on every page load. This allows an attacker who has already obtained database write access through another vulnerability or misconfiguration to instantiate arbitrary PHP objects, potentially leading to severe security issues. The vulnerability was fixed in version 1.1.2 by replacing PHP serialization with JSON encoding to prevent object injection. [2, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to arbitrary PHP object instantiation, which may result in significant confidentiality, integrity, and availability impacts on the affected system. An attacker with high privileges and database write access could manipulate data, cause data loss or corruption, or disrupt the availability of the component. The CVSS v3.1 score rates this vulnerability as moderate severity with high impacts on confidentiality, integrity, and availability. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your system is running pluginsGLPI's Database Inventory Plugin version prior to 1.1.2 and if the database contains serialized PHP objects in the 'computergroup' dynamic group search parameters. You can query the database to find entries where the 'search' field is not in JSON format (i.e., does not start with '{'). For example, using SQL: SELECT * FROM computergroup WHERE search NOT LIKE '{%'; This indicates potentially vulnerable serialized data. Additionally, monitoring for unusual unserialize() calls or PHP object instantiation on page loads related to the plugin may help detect exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the pluginsGLPI Database Inventory Plugin to version 1.1.2 or later, which replaces insecure PHP serialization with secure JSON encoding/decoding and includes a database migration to convert existing serialized data to JSON. If upgrading is not immediately possible, restrict database write access to trusted users only to prevent exploitation, as the vulnerability requires prior database write access. Also, review and harden permissions and configurations to prevent unauthorized data injection. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary PHP object instantiation through insecure unserialization of user-controlled data, potentially leading to high confidentiality, integrity, and availability impacts. Such impacts could result in unauthorized data access or modification, which may violate compliance requirements of standards like GDPR or HIPAA that mandate protection of sensitive data and system integrity. However, the vulnerability requires prior database write access obtained through another vulnerability or misconfiguration, indicating that the root cause is a security weakness that could undermine compliance if exploited. [3]