CVE Catalog

CVE-2025-34292

CriticalCVSS 9.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.53%

41th percentile - higher than 41% of all known CVEs

Summary

Rox, the software running BeWelcome, contains a PHP object injection vulnerability due to deserialization of untrusted data. The POST parameter `formkit_memory_recovery` and the `bwRemember` cookie are passed to unserialize(), allowing an attacker to execute arbitrary code or write files.

Risk Assessment

Successful exploitation can lead to full compromise of the BeWelcome site, including data theft, content modification, or infrastructure takeover.

Recommendation

Apply the patch available in commit c60bf04 (2025-06-16) immediately and update Rox to the latest version. Avoid deserializing user-supplied data.

Original NVD description (English source)

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS