Home

Description

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).

PUBLISHED Reserved 2025-04-15 | Published 2025-10-27 | Updated 2025-10-27 | Assigner VulnCheck




CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

Any version before commit c60bf04
affected

Credits

Drew Webber (mcdruid) finder

References

github.com/BeWelcome/rox product

gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398 technical-description exploit

github.com/BeWelcome/rox/commit/c60bf04 patch

www.vulncheck.com/advisories/rox-php-object-injection-rce third-party-advisory

cve.org (CVE-2025-34292)

nvd.nist.gov (CVE-2025-34292)

Download JSON