CVE-2025-34291 | Langflow | AT
| Vulnerability | CVE-2025-49113 |
|---|---|
| Type | Remote Code Execution via PHP Object Deserialization |
| Description | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows authenticated users to execute arbitrary code because the _from parameter in program/actions/settings/upload.php is not validated, leading to unsafe PHP object deserialization. |
| Affected Systems | - Roundcube Webmail versions prior to 1.5.10 - Roundcube Webmail versions 1.6.0–1.6.10 |
| Attack Vector | Remote (network) – attacker must be authenticated to the Roundcube instance. |
| Exploit Mechanism | A malicious _from value is stored in the session; when the session is unserialized, attacker‑controlled objects (e.g., Crypt_GPG_Engine) trigger proc_open() and run system commands. |
| Impact of the Bug | Successful exploitation grants remote code execution as the web‑server user, enabling full compromise of the webmail server and access to user mailboxes and stored data. |
| Detection Techniques | - Review web‑server logs for requests to upload.php containing unusual _from values (including !).- Inspect PHP session storage for serialized objects or class names such as Crypt_GPG_Engine.- Monitor for unexpected child processes ( proc_open) spawned by the web‑server user. |
| IOCs Related to Exploitation | Example malicious request pattern observed during exploitation:/?_from=edit-!";i:0;O:16:"Crypt_GPG_Engine":1:{...} |
| Mitigation Steps | - Upgrade Roundcube to 1.5.10 (LTS) or 1.6.11 (stable) immediately. - For packaged environments (e.g., Plesk), apply the vendor‑supplied patches. |
| References | - NVD – CVE‑2025‑49113 - Roundcube Security Updates 1.6.11 / 1.5.10 - OffSec Technical Analysis - Red Hat CVE page - Plesk Advisory - Dark Reading Coverage |