10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-49113

GHSA ID

GHSA-8j8w-wwqc-x596

EPSS Score

0.99273%

CWE

CWE-502

Published

6/2/2025

Updated

6/6/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49113

CVE-2025-49113: Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-49113

CVE-2025-49113:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-49113

GHSA ID

GHSA-8j8w-wwqc-x596

EPSS Score

0.99273%

CWE

CWE-502

Published

6/2/2025

Updated

6/6/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
roundcube/roundcubemail	composer	< 1.5.10
roundcube/roundcubemail	composer	>= 1.6.0, < 1.6.11

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2025-49113, is a PHP Object Deserialization flaw in Roundcube Webmail, occurring because the _from GET parameter in program/actions/settings/upload.php is not properly validated.

The analysis of the provided commit diffs (0376f69e958a8fef7f6f09e352c541b4e7729c4d, 7408f31379666124a39f9cb1018f62bc5e2dc695, and c50a07d88ca38f018a0f4a0b008e9a1deb32637e) reveals the following:

The run method within the rcmail_action_settings_upload class in program/actions/settings/upload.php is responsible for handling the request and processing the _from parameter.
Commits 0376f69e... and 7408f31... introduce a crucial security fix by adding a validation step for the $type variable, which is derived from the _from parameter. This validation uses a new utility function rcube_utils::is_simple_string() to ensure $type only contains expected characters. The addition of this check explicitly indicates its prior absence, which is the vulnerability.
Commit c50a07d... changes the method of retrieving the _from parameter from rcube_utils::get_input_value to rcube_utils::get_input_string. While get_input_string might be inherently safer or more restrictive, the primary vulnerability was the lack of validation on the content of the string, regardless of which function retrieved it initially.

The root cause is that the rcmail_action_settings_upload::run method previously took the _from parameter, derived $type from it, and then proceeded without ensuring $type was safe. This unvalidated input could then be used in a way that triggers PHP object deserialization if an attacker crafts a malicious payload for the _from parameter. Therefore, rcmail_action_settings_upload::run is the key function that would appear in a runtime profile when this vulnerability is triggered, as it's the entry point for the tainted data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-49113: Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

CVE-2025-49113:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2025-49113: Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

10

10

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI