Description

FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186.

INFO

Published Date :

2025-07-26T03:35:17.444Z

Last Modified :

2025-07-28T15:00:13.862Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54366 vulnerability.

Vendors Products
Freescout
  • Freescout
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54366.

URL Resource
https://github.com/freescout-help-desk/freescout/commit/9669c57f1ddbee896752d9e16270abfd97b20eb9 cve-icon cve-icon
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-vcc2-6r66-gvvj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact