// For flags

CVE-2025-34060

Monero Forum Remote Code Execution via Arbitrary File Read and Cookie Forgery

Severity Score

10.0
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.

Existe una vulnerabilidad de inyección de objeciones en PHP en el software de foro basado en Laravel del Proyecto Monero debido al manejo inseguro de entradas no confiables en el endpoint /get/image/. La aplicación pasa un parámetro de enlace proporcionado por el usuario directamente a file_get_contents() sin validación. Las comprobaciones de tipo MIME mediante finfo de PHP pueden eludirse mediante cadenas de filtros de flujo manipuladas que anteponen encabezados falsificados, lo que permite el acceso a los archivos de configuración internos de Laravel. Un atacante puede extraer la clave APP_KEY de config/app.php, falsificar cookies cifradas y activar llamadas unserialize() inseguras, lo que provoca la ejecución remota de código fiable.

*Credits: cfreal
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
High
High
Availability
High
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-04-15 CVE Reserved
  • 2025-07-01 CVE Published
  • 2025-07-01 CVE Updated
  • 2025-07-07 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
  • CWE-502: Deserialization of Untrusted Data
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CAPEC
  • CAPEC-137: Parameter Injection
  • CAPEC-153: Input Data Manipulation
  • CAPEC-248: Command Injection
References (2)
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Monero Project
Search vendor "Monero Project"
Forum
Search vendor "Monero Project" for product "Forum"
0
Search vendor "Monero Project" for product "Forum" and version "0"
en
Affected