CVE 9.4 CRITICAL

BeWelcome/Rox PHP Object Injection RCE_CVE-2025-34292

October 27, 2025 invoker category_cve
9.4 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).

AI Analysis

PHP object injection vulnerability in Rox allowing remote code execution

Basic Information

ID CVE-2025-34292
Source VulnCheck
Published Oct 27, 2025 at 14:36
Modified Oct 27, 2025 at 21:09

Affected Product

Vendor BeWelcome
Product Rox
Affected Versions BeWelcome Rox 0

CWE Classification

CWE-502

AI Assessment

AI Score 9.4 / 10
AI Severity Critical
Vendor BeWelcome
Product Rox

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.