Description

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).

INFO

Published Date :

2025-10-27T14:36:52.888Z

Last Modified :

2026-03-23T15:43:50.134Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2025-34292 vulnerability.

Vendors Products
Bewelcome
  • Rox
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34292.

URL Resource
https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398 cve-icon cve-icon cve-icon
https://github.com/BeWelcome/rox cve-icon cve-icon
https://github.com/BeWelcome/rox/commit/c60bf04 cve-icon cve-icon
https://www.vulncheck.com/advisories/rox-php-object-injection-rce cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability