Miggo Logo
Miggo Vulnerability Database
CVE-2025-48200

CVE-2025-48200:
The Front End User Registration extension for TYPO3 (sr_feuser_register) Remote Code Execution

10

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-48200
GHSA ID
GHSA-qfm8-78qf-p75j
EPSS Score
0.51382%
CWE
CWE-502
Published
5/21/2025
Updated
5/21/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
sjbr/sr-feuser-registercomposer>= 5.1.0, < 12.5.012.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

Unable to fetch commit details from the provided Codeberg URL (https://codeberg.org/sjbr/sr-feuser-register/commit/be44f61a475371c36b2035cbb523b56f5e34267d) or a GitHub mirror. The TYPO3 security advisory (TYPO3-EXT-SA-2025-008) describes the vulnerability as 'Remote Code Execution via unsafe deserialization' where 'The extension allows the exchange of a serialized file object representation of a previously uploaded file without proper validation. This enables an attacker to inject arbitrary serialized PHP objects, which may be deserialized on the server side...'. Without access to the specific code changes in the patch, it's impossible to identify the exact vulnerable functions, their file paths, or provide patch evidence. The vulnerable functions would be those responsible for handling and deserializing these file object representations within the 'sr_feuser_register' extension. To identify them, analysis of the code changes between the vulnerable versions (e.g., 12.4.8) and the patched version (12.5.0) would be required.

Method Explanation

The primary challenge in this analysis is the inability to directly fetch and inspect the commit diff that patches the vulnerability. The provided Codeberg link (https://codeberg.org/sjbr/sr-feuser-register/commit/be44f61a475371c36b2035cbb523b56f5e34267d) was inaccessible, and attempts to find a mirror on GitHub also failed.

Therefore, the analysis relies heavily on the textual description of the vulnerability provided in the TYPO3 security advisory (TYPO3-EXT-SA-2025-008).

Here's the reasoning process:

  1. Understand the Vulnerability Type: The core issue is "Remote Code Execution via unsafe deserialization." This immediately tells us that the vulnerability lies in a part of the code that deserializes data, and this data can be controlled by an attacker.

  2. Identify the Attack Vector: The advisory states: "The extension allows the exchange of a serialized file object representation of a previously uploaded file without proper validation. This enables an attacker to inject arbitrary serialized PHP objects, which may be deserialized on the server side..."

    • This points to a feature related to file uploads or handling representations of uploaded files.
    • The key is "serialized file object representation" and "inject arbitrary serialized PHP objects."

  3. Locate Potential Code Areas (Conceptual): Based on the above, the vulnerable code must be in a part of the sr_feuser_register extension that:

    • Handles input related to files (e.g., file IDs, serialized file data).
    • Uses a deserialization function (like PHP's unserialize()) on this input.
    • Lacks proper validation or sanitization of the input before deserialization.

  4. Infer Function Characteristics (Speculative): While the exact function names are unknown without the patch, we can infer their purpose:

    • There's likely a function that takes some form of user-supplied identifier or data representing a file.
    • This function, or a function it calls, then attempts to deserialize this data.
    • The vulnerability occurs because this deserialization happens without ensuring the data is safe or from a trusted source.

  5. Acknowledge Limitations: Without the commit diff, it's impossible to:

    • Identify the exact function names and their full namespaces.
    • Provide specific "patch_evidence."
    • Determine with high confidence which functions were modified. The advisory mentions the fix is in version 12.5.0, so comparing 12.4.8 and 12.5.0 would be the definitive way to find the patched functions.

  6. Formulate the Output:

    • Since no specific functions can be identified with evidence from a patch, the vulnerable_functions array must be empty, as per the instructions ("Return Empty if Uncertain - Don't hallucinate").
    • The reasoning section explains why the functions couldn't be identified (lack of commit access) and what the general nature of the vulnerable functions would be based on the advisory.

If the commit be44f61a475371c36b2035cbb523b56f5e34267d were accessible, the process would have been:

  1. Fetch the commit information using get_commit_infos.
  2. Analyze the diff for each modified file.
  3. Identify functions where code related to deserialization was changed (e.g., addition of validation, replacement of unserialize() with a safer alternative, or changes in how input to unserialize() is handled).
  4. Extract the function names, file paths, and the specific lines of code (patch_evidence) demonstrating the vulnerability or its fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** sr_**us*r_r**ist*r *xt*nsion t*rou** **.*.* *or TYPO* *llows R*mot* *o** *x**ution vi* uns*** **s*ri*liz*tion.

Reasoning

Un**l* to **t** *ommit **t*ils *rom t** provi*** *o****r* URL (*ttps://*o****r*.or*/sj*r/sr-**us*r-r**ist*r/*ommit/****************************************) or * *it*u* mirror. T** TYPO* s**urity **visory (TYPO*-*XT-S*-****-***) **s*ri**s t** vuln*r*