CVE-2025-34060

A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.

CVSS

No CVSS.

References

Link	Resource
https://swap.gs/posts/monero-forums/
https://vulncheck.com/advisories/monero-forum-rce

Configurations

No configuration.

History

03 Jul 2025, 15:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-01 15:15

Updated : 2025-07-03 15:14

NVD link : CVE-2025-34060

Mitre link : CVE-2025-34060

CVE.ORG link : CVE-2025-34060

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-502

Deserialization of Untrusted Data

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

{"id": "CVE-2025-34060", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "disclosure@vulncheck.com"}], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-01T15:15:24.620", "references": [{"url": "https://swap.gs/posts/monero-forums/", "source": "disclosure@vulncheck.com"}, {"url": "https://vulncheck.com/advisories/monero-forum-rce", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-829"}]}], "descriptions": [{"lang": "en", "value": "A PHP objection injection vulnerability exists in the Monero Project\u2019s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP\u2019s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de objeciones en PHP en el software de foro basado en Laravel del Proyecto Monero debido al manejo inseguro de entradas no confiables en el endpoint /get/image/. La aplicaci\u00f3n pasa un par\u00e1metro de enlace proporcionado por el usuario directamente a file_get_contents() sin validaci\u00f3n. Las comprobaciones de tipo MIME mediante finfo de PHP pueden eludirse mediante cadenas de filtros de flujo manipuladas que anteponen encabezados falsificados, lo que permite el acceso a los archivos de configuraci\u00f3n internos de Laravel. Un atacante puede extraer la clave APP_KEY de config/app.php, falsificar cookies cifradas y activar llamadas unserialize() inseguras, lo que provoca la ejecuci\u00f3n remota de c\u00f3digo fiable."}], "lastModified": "2025-07-03T15:14:12.767", "sourceIdentifier": "disclosure@vulncheck.com"}