CVE-2025-56588

Vulnerability

Overview

CVE-2025-56588 is a remote code execution (RCE) vulnerability found in Dolibarr ERP & CRM version 21.0.1. The flaw resides in the User module configuration, specifically within the computed field parameter. The root cause is the acceptance of callable parameters, which can be abused to execute arbitrary code. A commit addressing this issue removes functions that accept such callable parameters [1].

Exploitation

An attacker with access to the User module configuration can exploit this vulnerability by crafting a malicious input for the computed field parameter in the User module configuration. The attack does not require authentication, as the vulnerable parameter is accessible to unauthenticated users. The attacker must be able to send HTTP requests to the Dolibarr instance [1].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to full control of the application and underlying system. This can lead to data theft, system compromise, and further lateral movement within the network [1].

Mitigation

The vulnerability has been patched in the Dolibarr repository via commit b03f30c7e27fb89dbfb15902dbf4619ae77f0f86 [1]. Users are strongly advised to update to a version that includes this fix. No workarounds have been provided [1].