CVE-2025-50198
Received Received - Intake
Deserialization Vulnerability in Chamilo LMS Allows Remote Exploitation

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. This issue has been patched in version 1.11.30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-50198
EUVD
EUVD-2025-208171
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chamilo chamilo_lms to 1.11.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Impact Analysis

This vulnerability can lead to significant impacts including low confidentiality and integrity loss but a high impact on availability due to potential system compromise.

An attacker can execute arbitrary code on the server, delete or move files, and gain a reverse shell, effectively taking control of the system.

Such control can disrupt the availability of the Chamilo LMS service, potentially causing downtime or data loss.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-50198 is a high-severity vulnerability in Chamilo LMS versions prior to 1.11.30 caused by deserialization of untrusted data in the /plugin/vchamilo/views/import.php script via POST parameters configuration_file, course_path, and home_path.'}, {'type': 'paragraph', 'content': "An attacker with administrator privileges can craft malicious serialized PHP objects that, when deserialized, allow arbitrary object instantiation and manipulation, altering the application's logic."}, {'type': 'paragraph', 'content': "This vulnerability exploits PHP's native functions like is_dir, file_exists, and is_readable called with attacker-controlled input, enabling a deserialization chain that can lead to dangerous actions such as file deletion, file movement, or arbitrary code execution."}, {'type': 'paragraph', 'content': "Exploitation involves uploading a malicious phar archive (e.g., test.phar) using a user account with Learner role, which is then processed by the administrator triggering the vulnerable import.php script, resulting in execution of the attacker's payload and a reverse shell connection."}, {'type': 'paragraph', 'content': 'Mitigations include blocking untrusted deserialized data, replacing serialized objects with safer formats like JSON or XML, implementing data integrity checks, and validating input during deserialization.'}] [1]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for attempts to exploit the deserialization flaw in the /plugin/vchamilo/views/import.php endpoint, specifically via POST requests containing the parameters configuration_file, course_path, and home_path.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting web server logs for suspicious POST requests to import.php that include unusual or serialized PHP object data, especially those containing phar:// stream wrappers or .phar file uploads.'}, {'type': 'paragraph', 'content': 'Since exploitation involves uploading a malicious phar archive (e.g., test.phar) and then triggering deserialization, commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Checking for .phar files in upload directories: `find /path/to/chamilo/uploads -name '*.phar'`"}, {'type': 'list_item', 'content': "Searching web server access logs for POST requests to import.php: `grep 'POST /plugin/vchamilo/views/import.php' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': "Inspecting logs for suspicious serialized payloads or phar stream usage: `grep -i 'phar://' /var/log/apache2/access.log` or `grep -i 'configuration_file' /var/log/apache2/access.log`"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for reverse shell connections or unusual outbound network connections from the server may help detect exploitation attempts.'}] [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Chamilo LMS to version 1.11.30 or later, where the vulnerability has been patched.

If upgrading is not immediately possible, consider the following measures:

  • Configure the web server to block or restrict deserialization of untrusted data, especially blocking POST requests to /plugin/vchamilo/views/import.php that contain suspicious serialized data.
  • Replace serialized PHP objects with safer data formats such as JSON or XML where possible.
  • Implement data integrity checks like HMAC to verify the authenticity of deserialized data.
  • Validate and sanitize all input parameters explicitly, avoiding direct deserialization of user-controlled data.
  • Restrict file uploads to safe file types and block .phar files or other archive formats that can be used for deserialization attacks.

These steps reduce the risk of exploitation by preventing malicious payloads from being processed or executed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-50198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart