CRITICAL🇵🇱 Wersja polska

CVE-2025-34060

CVSS 10.0v4.0pub. 2025-07-01upd. 2026-04-15

A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.

🤖 AI Analysis
How it works

The application passes the user-supplied 'link' parameter directly to the file_get_contents() function without validation. MIME type verification using PHP finfo can be bypassed through crafted stream filter chains that attach fake headers — allowing access to internal Laravel configuration files. The attacker reads the APP_KEY value from the config/app.php file, then forges encrypted cookies, which leads to calling the unsafe unserialize() function and ultimately to reliable remote code execution.

Impact

An attacker can gain full control over the server by executing arbitrary code remotely without any authentication. As a result of the attack, it is possible to compromise the entire application environment, including forum user data.

Mitigation & patch

Apply patches available from the vendor according to the references. Additionally, it is recommended to: disable public access to the /get/image/ endpoint, implement restrictive input parameter validation on the server side, rotate APP_KEY values, and invalidate all existing sessions and cookies.

Who is affected

Monero Project forum software based on the Laravel framework; specific versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References