CVE-2025-34292

UNKNOWN 0.0

BeWelcome/Rox PHP Object Injection RCE

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).

CWE	CWE-502
Vendor	bewelcome
Product	rox
Published	Oct 27, 2025
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for bewelcome rox

Be the first to know when new unknown vulnerabilities affecting bewelcome rox are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

BeWelcome / Rox

0 < c60bf04c2464c4bfb6cfed6372a2890ca2d0c585

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/BeWelcome/rox gist.github.com: https://gist.github.com/mcdruid/c0f7c42b28949c7d86cf77d0c674f398 github.com: https://github.com/BeWelcome/rox/commit/c60bf04 vulncheck.com: https://www.vulncheck.com/advisories/rox-php-object-injection-rce

Credits

Drew Webber (mcdruid)