Miggo Logo
Miggo Vulnerability Database
CVE-2025-49597

CVE-2025-49597: handcraftedinthealps/goodby-csv has Potential Gadget Chain allowing Remote Code Execution

3.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-49597
GHSA ID
GHSA-x3c7-22c8-prg7
EPSS Score
0.64257%
CWE
CWE-915
Published
6/13/2025
Updated
6/14/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
handcraftedinthealps/goodby-csvcomposer< 1.4.31.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability identified (GHSA-x3c7-22c8-prg7) in handcraftedinthealps/goodby-csv is a potential gadget chain that can lead to Remote Code Execution if an application using this library has a separate insecure deserialization vulnerability. The core issue is that the Goodby\CSV\Export\Standard\Collection\CallbackCollection class could be instantiated via PHP's unserialize() function from user-controlled data.

The __wakeup() magic method in PHP is automatically called when an object is unserialized. If this method is not defined, or if it doesn't take specific measures to prevent harmful deserialization, the object can be reconstructed. Attackers can craft serialized object payloads (gadget chains) that, when unserialized, call a series of methods on different objects, potentially leading to arbitrary code execution.

The provided patch introduces a __wakeup() method to the CallbackCollection class that explicitly throws a BadMethodCallException. This action effectively prevents objects of this class from being successfully unserialized, thereby neutralizing it as a potential gadget in such chains.

Therefore, the vulnerable aspect was the behavior of the CallbackCollection class during deserialization, specifically related to the __wakeup lifecycle method. Before the patch, its implicit or non-restrictive __wakeup behavior allowed it to be part of a deserialization-based attack. The function Goodby\CSV\Export\Standard\Collection\CallbackCollection::__wakeup is identified as the vulnerable function because its pre-patch state (i.e., being absent or not preventing deserialization) is what allowed the class to be a viable gadget. During exploitation, if an attacker managed to get the application to unserialize() a crafted CallbackCollection object, this (implicit or actual pre-patch) __wakeup method would be involved in its instantiation, followed by calls to other methods of the object as part of the gadget chain.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *oo**y-*sv *oul* ** us** *s p*rt o* * ***in o* m*t*o*s t**t is *xploit**l* w**n *n ins**ur* **s*ri*liz*tion vuln*r**ility *xists in *n *ppli**tion. T*is so-**ll** "*****t ***in" pr*s*nts no *ir**t t*r**t *ut is * v**tor t**t **n ** us** t

Reasoning

T** vuln*r**ility i**nti*i** (**S*-x***-****-pr**) in `**n**r**t**int***lps/*oo**y-*sv` is * pot*nti*l *****t ***in t**t **n l*** to R*mot* *o** *x**ution i* *n *ppli**tion usin* t*is li*r*ry **s * s*p*r*t* ins**ur* **s*ri*liz*tion vuln*r**ility. T**