CVE-2025-34292

Vulnerability Description

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).

Related Weaknesses (CWE)

References

• https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398
• https://github.com/BeWelcome/rox
• https://github.com/BeWelcome/rox/commit/c60bf04
• https://www.vulncheck.com/advisories/rox-php-object-injection-rce
• https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398

FAQ

What is CVE-2025-34292?

CVE-2025-34292 is a documented vulnerability. Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST pa...

How severe is CVE-2025-34292?

CVSS scoring is not yet available for CVE-2025-34292. Check NVD for updates.

Is there a patch for CVE-2025-34292?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.