CVE-2025-54366

FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186.

CVSS

No CVSS.

References

Link	Resource
https://github.com/freescout-help-desk/freescout/commit/9669c57f1ddbee896752d9e16270abfd97b20eb9
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-vcc2-6r66-gvvj

Configurations

No configuration.

History

29 Jul 2025, 14:14

Type	Values Removed	Values Added
Summary		(es) FreeScout es un servicio de asistencia y bandeja de entrada compartida, ligero, gratuito y de código abierto, desarrollado con PHP (Laravel framework). En las versiones 1.8.185 y anteriores, existe una vulnerabilidad crítica de deserialización en el endpoint /conversation/ajax que permite a los usuarios autenticados con conocimiento de APP_KEY ejecutar código remoto. La vulnerabilidad ocurre cuando la aplicación procesa los parámetros POST attachments_all y attachments mediante la función insegura Helper::decrypt(), que realiza una deserialización insegura de datos controlados por el usuario sin la validación adecuada. Esta falla permite a los atacantes crear objetos arbitrarios y manipular sus propiedades, lo que compromete por completo la aplicación web. Esto se corrigió en la versión 1.8.186.

26 Jul 2025, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-26 04:16

Updated : 2025-07-29 14:14

NVD link : CVE-2025-54366

Mitre link : CVE-2025-54366

CVE.ORG link : CVE-2025-54366

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-54366", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-26T04:16:04.857", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/9669c57f1ddbee896752d9e16270abfd97b20eb9", "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-vcc2-6r66-gvvj", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186."}, {"lang": "es", "value": "FreeScout es un servicio de asistencia y bandeja de entrada compartida, ligero, gratuito y de c\u00f3digo abierto, desarrollado con PHP (Laravel framework). En las versiones 1.8.185 y anteriores, existe una vulnerabilidad cr\u00edtica de deserializaci\u00f3n en el endpoint /conversation/ajax que permite a los usuarios autenticados con conocimiento de APP_KEY ejecutar c\u00f3digo remoto. La vulnerabilidad ocurre cuando la aplicaci\u00f3n procesa los par\u00e1metros POST attachments_all y attachments mediante la funci\u00f3n insegura Helper::decrypt(), que realiza una deserializaci\u00f3n insegura de datos controlados por el usuario sin la validaci\u00f3n adecuada. Esta falla permite a los atacantes crear objetos arbitrarios y manipular sus propiedades, lo que compromete por completo la aplicaci\u00f3n web. Esto se corrigi\u00f3 en la versi\u00f3n 1.8.186."}], "lastModified": "2025-07-29T14:14:55.157", "sourceIdentifier": "security-advisories@github.com"}