CVE-2025-60641

Vulnerability

Details

The vulnerability is a PHP Object Injection (CWE-502) in the Vfront 0.99.52 codebase, specifically in the file mexcel.php. The root cause is the use of unserialize(base64_decode($_POST['mexcel'])) without any validation or the allowed_classes option. This allows an attacker to supply arbitrary serialized PHP objects via the mexcel POST parameter, which is base64-decoded and then deserialized [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP POST request to mexcel.php with a base64-encoded serialized PHP object in the mexcel parameter. Since there is no input sanitization or restriction on allowed classes, the attacker can inject any PHP object that exists in the application or its dependencies [1].

Impact

Successful exploitation enables the attacker to trigger arbitrary code execution, SQL injection, path traversal, or denial of service, depending on the available gadget chains (exploitable classes) in the Vfront codebase or its libraries. This could lead to full compromise of the server, data exfiltration, or service disruption [1].

Mitigation

As of the advisory, no official patch has been released. Mitigations include removing or restricting access to mexcel.php, using the allowed_classes option in unserialize(), or implementing input validation and whitelisting for serialized data [1]. Users should monitor for updates from the vendor.