High severityOSV Advisory· Published Apr 25, 2025· Updated Apr 28, 2025

Moodle: authenticated remote code execution risk in the moodle lms dropbox repository

CVE-2025-3641

Description

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote code execution vulnerability in Moodle's Dropbox repository allows authenticated teachers or managers to exploit insecure deserialization.

Vulnerability

Overview

A flaw was found in Moodle that creates a remote code execution risk in the Dropbox repository plugin. The root cause is the use of insecure unserialize() calls on serialized file references without proper validation or sanitization [1][2]. When handling file references, the code previously relied on the raw unserialize() PHP function, which can instantiate arbitrary PHP objects if an attacker controls the serialized data.

Exploitation

By default, the Dropbox repository is only available to teachers and managers on sites where the plugin is enabled [2]. An attacker with those roles can craft a malicious serialized object and supply it as part of a file reference. When Moodle processes the reference via get_reference_details(), fix_old_style_reference(), or unpack_reference(), the unserialize() call triggers object instantiation that can lead to arbitrary code execution [3].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary PHP code on the Moodle server. This could compromise the entire application, lead to data exfiltration, or provide a foothold for further attacks against the hosting infrastructure.

Mitigation

A fix is available in the Moodle commit that replaces unserialize() with the safer unserialize_object() function, which restricts deserialization to expected classes [3]. Administrators should apply the latest patched version of Moodle and review the Dropbox repository settings to limit access only to trusted roles.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	< 4.1.18	4.1.18
moodle/moodlePackagist	>= 4.3.0-beta, < 4.3.12	4.3.12
moodle/moodlePackagist	>= 4.4.0-beta, < 4.4.8	4.4.8
moodle/moodlePackagist	>= 4.5.0-beta, < 4.5.4	4.5.4

Affected products

Moodle/MoodleOSV2 versions
v1.0.0, v1.0.1, v1.0.2, …+ 1 more
- (no CPE)range: v1.0.0, v1.0.1, v1.0.2, …
- (no CPE)
osv-coords2 versions
pkg:bitnami/moodle pkg:composer/moodle/moodle
< 4.1.18+ 1 more
- (no CPE)range: < 4.1.18
- (no CPE)range: < 4.1.18

Patches

27b839b5c603

MDL-84475 repository_dropbox: safer unserializing of file references.

https://github.com/moodle/moodlePaul HoldenFeb 9, 2025via ghsa

commit

1 file changed · +5 −5

repository/dropbox/lib.php+5 −5 modified

@@ -111,7 +111,7 @@ public function send_file($storedfile, $lifetime=null , $filter=0, $forcedownloa
      */
     public function get_reference_details($reference, $filestatus = 0) {
         global $USER;
-        $ref  = unserialize($reference);
+        $ref  = unserialize_object($reference);
         $detailsprefix = $this->get_name();
         if (isset($ref->userid) && $ref->userid != $USER->id && isset($ref->username)) {
             $detailsprefix .= ' ('.$ref->username.')';
@@ -343,8 +343,8 @@ public function send_thumbnail($source) {
      * @return  string                  New serialized reference
      */
     protected function fix_old_style_reference($packed) {
-        $ref = unserialize($packed);
-        $ref = $this->dropbox->get_file_share_info($ref->path);
+        $ref = unserialize_object($packed);
+        $ref = $this->dropbox->get_file_share_info($ref->path ?? '');
         if (!$ref || empty($ref->url)) {
             // Some error occurred, do not fix reference for now.
             return $packed;
@@ -396,10 +396,10 @@ protected function fix_old_style_reference($packed) {
      * @return  object                  The unpacked reference
      */
     protected function unpack_reference($packed) {
-        $reference = unserialize($packed);
+        $reference = unserialize_object($packed);
         if (empty($reference->url)) {
             // The reference is missing some information. Attempt to update it.
-            return unserialize($this->fix_old_style_reference($packed));
+            return unserialize_object($this->fix_old_style_reference($packed));
         }
 
         return $reference;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c8v6-vxhf-wcrrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-3641ghsaADVISORY
access.redhat.com/security/cve/CVE-2025-3641ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/moodle/moodle/commit/27b839b5c60389623ca8e3496792b43a44527cd6ghsaWEB
moodle.org/mod/forum/discuss.phpghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000