CVE-2025-34292

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).

CVSS

No CVSS.

References

Link	Resource
https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398
https://github.com/BeWelcome/rox
https://github.com/BeWelcome/rox/commit/c60bf04
https://www.vulncheck.com/advisories/rox-php-object-injection-rce
https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398

Configurations

No configuration.

History

27 Oct 2025, 16:15

Type	Values Removed	Values Added
Summary	(en) Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was introduced with commit f09be94 (2025-01-03) and remediated with commit c60bf04 (2025-06-16).	(en) Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).
References	~~{'url': 'https://github.com/BeWelcome/rox/commit/f09be94', 'source': 'disclosure@vulncheck.com'}~~
References	~~() https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398 -~~	() https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398 -

27 Oct 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-27 15:15

Updated : 2025-10-30 15:05

NVD link : CVE-2025-34292

Mitre link : CVE-2025-34292

CVE.ORG link : CVE-2025-34292

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

JSON object

Attach tags to CVE-2025-34292

Attach tags to `CVE-2025-34292`