CVE-2025-54366 | THREATINT

Description

FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186.

PUBLISHED Reserved 2025-07-21 | Published 2025-07-26 | Updated 2025-07-28 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

< 1.8.186

affected

References

github.com/...escout/security/advisories/GHSA-vcc2-6r66-gvvj

github.com/...ommit/9669c57f1ddbee896752d9e16270abfd97b20eb9

cve.org (CVE-2025-54366)

nvd.nist.gov (CVE-2025-54366)

Download JSON