Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4795 vulnerabilities reference this CWE, most recent first.

GHSA-FFJ9-C4HJ-67MG

Vulnerability from github – Published: 2025-10-08 15:32 – Updated: 2025-10-08 18:30
VLAI
Details

A fastjson deserialization vulnerability in uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying a crafted input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-08T15:16:24Z",
    "severity": "MODERATE"
  },
  "details": "A fastjson deserialization vulnerability in uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying a crafted input.",
  "id": "GHSA-ffj9-c4hj-67mg",
  "modified": "2025-10-08T18:30:16Z",
  "published": "2025-10-08T15:32:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60834"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ChangeYourWay/5f2b0100b167edf868dd702c0fa3cc35"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChangeYourWay/post/blob/main/uzy-ssm-mall2.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FFPP-564X-W86F

Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2026-04-01 18:35
VLAI
Details

Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection. This issue affects ZoomSounds: from n/a through 6.91.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-23T13:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection. This issue affects ZoomSounds: from n/a through 6.91.",
  "id": "GHSA-ffpp-564x-w86f",
  "modified": "2026-04-01T18:35:15Z",
  "published": "2025-05-23T15:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47568"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/dzs-zoomsounds/vulnerability/wordpress-zoomsounds-plugin-6-91-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FFVR-GMP3-XX43

Vulnerability from github – Published: 2025-02-14 15:31 – Updated: 2025-02-19 17:48
VLAI
Summary
Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution
Details

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.eventmesh:eventmesh-meta-raft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.1"
            },
            {
              "fixed": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-19T17:48:09Z",
    "nvd_published_at": "2025-02-14T14:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.",
  "id": "GHSA-ffvr-gmp3-xx43",
  "modified": "2025-02-19T17:48:09Z",
  "published": "2025-02-14T15:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56180"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/eventmesh"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-56180"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution"
}

GHSA-FFWP-75CJ-Q944

Vulnerability from github – Published: 2025-02-18 12:31 – Updated: 2025-02-18 12:31
VLAI
Details

The Brooklyn theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.9.2 via deserialization of untrusted input in the ot_decode function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-18T11:15:10Z",
    "severity": "HIGH"
  },
  "details": "The Brooklyn theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.9.2 via deserialization of untrusted input in the ot_decode function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.",
  "id": "GHSA-ffwp-75cj-q944",
  "modified": "2025-02-18T12:31:17Z",
  "published": "2025-02-18T12:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13636"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/brooklyn-responsive-multipurpose-wordpress-theme/6221179"
    },
    {
      "type": "WEB",
      "url": "https://unitedthemes.com/changelog"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50cc3bd5-91ee-4b57-8159-60dd700375f3?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FG47-8FHH-P6FC

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-24T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "The All in One SEO \u2013 Best WordPress SEO Plugin \u2013 Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with \"aioseo_tools_settings\" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin\u0027s configuration by uploading a backup .ini file in the section \"Tool \u003e Import/Export\". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.",
  "id": "GHSA-fg47-8fhh-p6fc",
  "modified": "2022-05-24T22:28:36Z",
  "published": "2022-05-24T22:28:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24307"
    },
    {
      "type": "WEB",
      "url": "https://aioseo.com/changelog"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/ab2c94d2-f6c4-418b-bd14-711ed164bcf1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FG54-49F9-XP8R

Vulnerability from github – Published: 2023-10-03 21:30 – Updated: 2024-04-04 08:12
VLAI
Details

A deserialization vulnerability in Afterlogic Aurora Files v9.7.3 allows attackers to execute arbitrary code via supplying a crafted .sabredav file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-03T21:15:10Z",
    "severity": "HIGH"
  },
  "details": "A deserialization vulnerability in Afterlogic Aurora Files v9.7.3 allows attackers to execute arbitrary code via supplying a crafted .sabredav file.",
  "id": "GHSA-fg54-49f9-xp8r",
  "modified": "2024-04-04T08:12:56Z",
  "published": "2023-10-03T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43176"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\u0026version=3.1"
    },
    {
      "type": "WEB",
      "url": "https://sec.leonardini.dev/blog/cve-2023-43176-rce_aurora_files"
    },
    {
      "type": "WEB",
      "url": "http://afterlogic.com"
    },
    {
      "type": "WEB",
      "url": "http://aurora.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FG79-CR9C-7369

Vulnerability from github – Published: 2026-04-21 14:32 – Updated: 2026-04-21 14:32
VLAI
Summary
OpenMage LTS: Phar Deserialization leads to Remote Code Execution
Details

PHP functions such as getimagesize(), file_exists(), and is_readable() can trigger deserialization when processing phar:// stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a phar:// path can achieve arbitrary code execution.

Metric Value Justification
Attack Vector (AV) Network Exploitable via file upload and web requests
Attack Complexity (AC) High Requires file upload + triggering phar:// access
Privileges Required (PR) None Some upload vectors don't require authentication
User Interaction (UI) None Exploitation is automatic once triggered
Scope (S) Unchanged Impacts the vulnerable component
Confidentiality (C) High Full system access via RCE
Integrity (I) High Arbitrary code execution
Availability (A) High Complete system compromise possible

Affected Products

  • OpenMage LTS versions < 20.16.1
  • All versions derived from Magento 1.x with these code paths

Affected Files

File Line Vulnerable Function
app/code/core/Mage/Core/Model/File/Validator/Image.php 72 getimagesize($filePath)
app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php 137 getimagesize($item->getFilename())
lib/Varien/Image.php 71 $this->_getAdapter()->open($this->_fileName)

Vulnerability Details

PHP's phar (PHP Archive) format stores metadata that is serialized. When PHP's stream wrapper functions access a file using the phar:// protocol, the metadata is automatically deserialized. This occurs even with seemingly safe functions like file_exists() or getimagesize().

A polyglot file can be crafted that is both a valid image (passing initial validation) and a valid phar archive containing malicious serialized objects. When the application later processes this file using phar://, the deserialization triggers a gadget chain leading to RCE.

Attack Flow

  1. Create polyglot file: Attacker creates a file that is both valid JPEG and valid PHAR
  2. Upload file: Attacker uploads the polyglot via product images, CMS media, or import
  3. Trigger phar:// access: Attacker causes the application to access the file using phar:// wrapper
  4. Code execution: PHAR metadata deserialization triggers gadget chain

Proof of Concept

<?php
// Create malicious phar file
class ExploitGadget {
    public $cmd = 'id > /tmp/pwned';
    function __destruct() {
        system($this->cmd);
    }
}

$phar = new Phar('exploit.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'test');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->setMetadata(new ExploitGadget());
$phar->stopBuffering();

// Rename to appear as image
rename('exploit.phar', 'exploit.jpg');

// When getimagesize('phar://path/to/exploit.jpg') is called,
// the ExploitGadget::__destruct() method executes

Remediation

Block phar:// paths before passing to vulnerable functions:

// Before (vulnerable)
[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);

// After (fixed)
if (str_starts_with($filePath, 'phar://')) {
    throw new Exception('Invalid image path.');
}
[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);

Additionally, ICO files (which cannot be re-encoded by GD) are now scanned for phar signatures:

  • __HALT_COMPILER(); - Required phar stub
  • <?php - PHP opening tag
  • <?= - PHP short echo tag

Additional hardening measures:

  1. ICO uploads removed: ICO file support is completely removed from new image uploads. This eliminates the polyglot attack vector entirely since all other image formats are re-encoded by GD, which strips any embedded phar metadata.

  2. Phar wrapper disabled: The phar:// stream wrapper is unregistered at application bootstrap, preventing any phar deserialization attacks regardless of code path.

  3. Cache deserialization hardening: All unserialize() calls on cached data now use allowed_classes => false as defense-in-depth.

Note: Existing uploaded ICO files will continue to work. Only new ICO uploads will be rejected. Users are encouraged to use PNG favicons for new uploads.

Workarounds

If immediate upgrade is not possible:

  1. Disable phar stream wrapper (if not needed):

ini ; php.ini disable_functions = phar://

Or in code:

php stream_wrapper_unregister('phar');

  1. Strict upload validation: Implement additional validation beyond file extension

  2. File storage isolation: Store uploads outside web root with randomized names

  3. Web Application Firewall: Block requests containing phar:// in parameters

Credit

This vulnerability was discovered and responsibly disclosed by blackhat2013 through HackerOne.

Timeline

  • 2025-12-31: Vulnerability reported via HackerOne
  • 2026-01-21: Fix developed and tested

Source: https://hackerone.com/reports/3482926

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "openmage/magento-lts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T14:32:48Z",
    "nvd_published_at": "2026-04-20T17:16:32Z",
    "severity": "HIGH"
  },
  "details": "PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution.\n\n| Metric                   | Value     | Justification                                    |\n| ------------------------ | --------- | ------------------------------------------------ |\n| Attack Vector (AV)       | Network   | Exploitable via file upload and web requests     |\n| Attack Complexity (AC)   | High      | Requires file upload + triggering phar:// access |\n| Privileges Required (PR) | None      | Some upload vectors don\u0027t require authentication |\n| User Interaction (UI)    | None      | Exploitation is automatic once triggered         |\n| Scope (S)                | Unchanged | Impacts the vulnerable component                 |\n| Confidentiality (C)      | High      | Full system access via RCE                       |\n| Integrity (I)            | High      | Arbitrary code execution                         |\n| Availability (A)         | High      | Complete system compromise possible              |\n\n## Affected Products\n\n- OpenMage LTS versions \u003c 20.16.1\n- All versions derived from Magento 1.x with these code paths\n\n## Affected Files\n\n| File                                                      | Line | Vulnerable Function                            |\n| --------------------------------------------------------- | ---- | ---------------------------------------------- |\n| `app/code/core/Mage/Core/Model/File/Validator/Image.php`  | 72   | `getimagesize($filePath)`                      |\n| `app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php` | 137  | `getimagesize($item-\u003egetFilename())`           |\n| `lib/Varien/Image.php`                                    | 71   | `$this-\u003e_getAdapter()-\u003eopen($this-\u003e_fileName)` |\n\n## Vulnerability Details\n\nPHP\u0027s phar (PHP Archive) format stores metadata that is serialized. When PHP\u0027s stream wrapper functions access a file using the `phar://` protocol, the metadata is automatically deserialized. This occurs even with seemingly safe functions like `file_exists()` or `getimagesize()`.\n\nA polyglot file can be crafted that is both a valid image (passing initial validation) and a valid phar archive containing malicious serialized objects. When the application later processes this file using `phar://`, the deserialization triggers a gadget chain leading to RCE.\n\n### Attack Flow\n\n1. **Create polyglot file**: Attacker creates a file that is both valid JPEG and valid PHAR\n2. **Upload file**: Attacker uploads the polyglot via product images, CMS media, or import\n3. **Trigger phar:// access**: Attacker causes the application to access the file using `phar://` wrapper\n4. **Code execution**: PHAR metadata deserialization triggers gadget chain\n\n### Proof of Concept\n\n```php\n\u003c?php\n// Create malicious phar file\nclass ExploitGadget {\n    public $cmd = \u0027id \u003e /tmp/pwned\u0027;\n    function __destruct() {\n        system($this-\u003ecmd);\n    }\n}\n\n$phar = new Phar(\u0027exploit.phar\u0027);\n$phar-\u003estartBuffering();\n$phar-\u003eaddFromString(\u0027test.txt\u0027, \u0027test\u0027);\n$phar-\u003esetStub(\u0027\u003c?php __HALT_COMPILER(); ?\u003e\u0027);\n$phar-\u003esetMetadata(new ExploitGadget());\n$phar-\u003estopBuffering();\n\n// Rename to appear as image\nrename(\u0027exploit.phar\u0027, \u0027exploit.jpg\u0027);\n\n// When getimagesize(\u0027phar://path/to/exploit.jpg\u0027) is called,\n// the ExploitGadget::__destruct() method executes\n```\n\n## Remediation\n\nBlock `phar://` paths before passing to vulnerable functions:\n\n```php\n// Before (vulnerable)\n[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);\n\n// After (fixed)\nif (str_starts_with($filePath, \u0027phar://\u0027)) {\n    throw new Exception(\u0027Invalid image path.\u0027);\n}\n[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);\n```\n\nAdditionally, ICO files (which cannot be re-encoded by GD) are now scanned for phar signatures:\n\n- `__HALT_COMPILER();` - Required phar stub\n- `\u003c?php` - PHP opening tag\n- `\u003c?=` - PHP short echo tag\n\nAdditional hardening measures:\n\n1. **ICO uploads removed**: ICO file support is completely removed from new image uploads. This eliminates the polyglot attack vector entirely since all other image formats are re-encoded by GD, which strips any embedded phar metadata.\n\n2. **Phar wrapper disabled**: The `phar://` stream wrapper is unregistered at application bootstrap, preventing any phar deserialization attacks regardless of code path.\n\n3. **Cache deserialization hardening**: All `unserialize()` calls on cached data now use `allowed_classes =\u003e false` as defense-in-depth.\n\n**Note:** Existing uploaded ICO files will continue to work. Only new ICO uploads will be rejected. Users are encouraged to use PNG favicons for new uploads.\n\n## Workarounds\n\nIf immediate upgrade is not possible:\n\n1. **Disable phar stream wrapper** (if not needed):\n\n   ```ini\n   ; php.ini\n   disable_functions = phar://\n   ```\n\n   Or in code:\n\n   ```php\n   stream_wrapper_unregister(\u0027phar\u0027);\n   ```\n\n2. **Strict upload validation**: Implement additional validation beyond file extension\n\n3. **File storage isolation**: Store uploads outside web root with randomized names\n\n4. **Web Application Firewall**: Block requests containing `phar://` in parameters\n\n\n## Credit\n\nThis vulnerability was discovered and responsibly disclosed by [blackhat2013](https://hackerone.com/blackhat2013) through HackerOne.\n\n## Timeline\n\n- **2025-12-31**: Vulnerability reported via HackerOne\n- **2026-01-21**: Fix developed and tested\n\nSource: https://hackerone.com/reports/3482926",
  "id": "GHSA-fg79-cr9c-7369",
  "modified": "2026-04-21T14:32:48Z",
  "published": "2026-04-21T14:32:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25524"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenMage/magento-lts"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenMage LTS: Phar Deserialization leads to Remote Code Execution"
}

GHSA-FG86-4C2R-7WXW

Vulnerability from github – Published: 2024-07-15 17:48 – Updated: 2026-05-13 13:37
VLAI
Summary
TorrentPier Deserialization of Untrusted Data vulnerability
Details

Summary

In torrentpier/library/includes/functions.php, get_tracks() uses the unsafe native PHP serialization format to deserialize user-controlled cookies:

https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60

PoC

One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "torrentpier/torrentpier"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-15T17:48:26Z",
    "nvd_published_at": "2024-07-15T20:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nIn `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies:\n\nhttps://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60\n\n### PoC\n\nOne can use [`phpggc`](https://github.com/ambionics/phpggc/) and the chain `Guzzle/FW1` to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie `bb_t` will be deserialized when browsing to `viewforum.php`.",
  "id": "GHSA-fg86-4c2r-7wxw",
  "modified": "2026-05-13T13:37:02Z",
  "published": "2024-07-15T17:48:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40624"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/torrentpier/torrentpier"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TorrentPier Deserialization of Untrusted Data vulnerability"
}

GHSA-FGH3-PWMP-3QW3

Vulnerability from github – Published: 2024-05-08 15:30 – Updated: 2025-02-13 18:59
VLAI
Summary
Apache Inlong Deserialization of Untrusted Data vulnerability
Details

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.7.0 through 1.11.0. The attackers can bypass using malicious parameters.

Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it.

[1] https://github.com/apache/inlong/pull/9694

[2]  https://github.com/apache/inlong/pull/9707

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.inlong:manager-pojo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-08T19:57:07Z",
    "nvd_published_at": "2024-05-08T15:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.7.0 through 1.11.0. The attackers can bypass using malicious parameters.\n\nUsers are advised to upgrade to Apache InLong\u0027s 1.12.0 or cherry-pick [1], [2] to solve it.\n\n[1]  https://github.com/apache/inlong/pull/9694 \n\n[2]\u00a0 https://github.com/apache/inlong/pull/9707",
  "id": "GHSA-fgh3-pwmp-3qw3",
  "modified": "2025-02-13T18:59:54Z",
  "published": "2024-05-08T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26579"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/inlong/pull/9694"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/inlong/pull/9707"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/inlong/commit/23e3e00cae1fd120b089fca54f7440945dfe11a4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/inlong/commit/cdf616670942fec7d09fae2452e2ea215205dd1d"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fgh3-pwmp-3qw3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/inlong"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/d2hndtvh6bll4pkl91o2oqxyynhr54k3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/05/09/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Inlong Deserialization of Untrusted Data vulnerability"
}

GHSA-FH75-FFJ9-CPM7

Vulnerability from github – Published: 2025-10-10 21:31 – Updated: 2025-10-10 21:31
VLAI
Details

e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the install.php script. The script processes user-controlled input in the previous_steps POST parameter using unserialize(base64_decode()) without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-10T19:15:38Z",
    "severity": "MODERATE"
  },
  "details": "e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.",
  "id": "GHSA-fh75-ffj9-cpm7",
  "modified": "2025-10-10T21:31:15Z",
  "published": "2025-10-10T21:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61505"
    },
    {
      "type": "WEB",
      "url": "https://github.com/e107inc/e107/blob/master/install.php"
    },
    {
      "type": "WEB",
      "url": "https://xancatos.org/cve202561505"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.