oss-security - Re: Roundcube webmail: Post-Auth RCE via PHP Object Deserialization reported by firs0v

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <0da814d8-76f9-4ce0-88bf-dbd1c5cc6ad6@sijanec.eu>
Date: Mon, 2 Jun 2025 08:42:55 +0200
From: Anton Luka Šijanec <anton@...anec.eu>
To: oss-security@...ts.openwall.com
Subject: Re: Roundcube webmail: Post-Auth RCE via PHP Object
 Deserialization reported by firs0v

Hanno Böck je 2. 6. 25 ob 07:26 napisal:
> Roundcube just published an update that appears to contain an important
> security fix:
> https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
> 
> "Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v."
> 
> Even though it says "Post-Auth", impact is likely high, as for a
> webmailer, it is a very common scenario that many people are
> potentially authenticated. (And it may just be another XSS away from
> non-authenticated RCE.)
> 

I believe this is

https://www.cve.org/CVERecord?id=CVE-2025-49113

CVE-2025-49113 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H score 9.9

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.