CVE-2025-11938 Overview
CVE-2025-11938 is an insecure deserialization vulnerability affecting ChurchCRM versions up to 5.18.0. The flaw resides in the setup/routes/setup.php file, where manipulation of the DB_PASSWORD, ROOT_PATH, or URL arguments triggers unsafe deserialization [CWE-502]. The attack can be initiated remotely without authentication, though the attack complexity is rated high. A public exploit reference exists, and the vendor did not respond to disclosure attempts.
Critical Impact
Remote attackers can leverage deserialization of attacker-controlled input through the setup routes to influence application state, with potential downstream effects on confidentiality, integrity, and availability.
Affected Products
- ChurchCRM versions up to and including 5.18.0
- Component: setup/routes/setup.php
- Affected parameters: DB_PASSWORD, ROOT_PATH, URL
Discovery Timeline
- 2025-10-19 - CVE-2025-11938 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-11938
Vulnerability Analysis
The vulnerability is classified under [CWE-502] Deserialization of Untrusted Data and [CWE-20] Improper Input Validation. ChurchCRM's setup routing logic accepts user-supplied values for installation parameters and processes them in a manner that results in deserialization of untrusted data. Because the setup workflow is exposed over the network, attackers can interact with the affected endpoint remotely without prior authentication.
Exploitation is rated as difficult, with attack complexity marked as high in the CVSS 4.0 vector. The vendor was contacted but did not respond, which leaves the codebase unpatched at the time of disclosure. ChurchCRM is an open-source church management web application, and exposed setup routes on production instances increase the practical risk.
Root Cause
The root cause is the unsafe handling of the DB_PASSWORD, ROOT_PATH, and URL arguments within setup/routes/setup.php. The setup script processes these inputs without applying sufficient validation or sanitization before they reach a deserialization sink. This allows crafted input to influence object construction during the setup workflow.
Attack Vector
The attack vector is network-based. An attacker sends crafted requests to the setup route containing manipulated DB_PASSWORD, ROOT_PATH, or URL parameters. If the setup endpoint is reachable, deserialization of the malicious payload occurs during request processing. Successful exploitation requires the setup interface to be accessible, which is more common in misconfigured or freshly deployed instances.
For full technical details, see the GitHub Security Advisory and VulDB entry #329014.
Detection Methods for CVE-2025-11938
Indicators of Compromise
- HTTP requests targeting setup/routes/setup.php after the initial application installation has completed
- Requests containing serialized PHP object payloads in the DB_PASSWORD, ROOT_PATH, or URL parameters
- Unexpected child processes spawned by the PHP worker process serving the ChurchCRM application
Detection Strategies
- Inspect web server access logs for POST or GET requests to /setup/ paths originating from external sources
- Apply web application firewall rules that flag serialized object markers such as O: or a: in parameter values
- Correlate suspicious setup-route access with subsequent file modifications inside the ChurchCRM webroot
Monitoring Recommendations
- Alert on any access to the setup endpoint on production deployments where installation is complete
- Monitor outbound network connections initiated by the PHP runtime that hosts ChurchCRM
- Track file integrity for ChurchCRM application directories to detect unauthorized modifications
How to Mitigate CVE-2025-11938
Immediate Actions Required
- Restrict access to the setup/ directory at the web server level once installation is complete
- Block external network access to the ChurchCRM setup routes using firewall or reverse proxy rules
- Audit existing ChurchCRM deployments to confirm the setup interface is not reachable from untrusted networks
Patch Information
At the time of publication, the vendor did not respond to disclosure attempts, and no official patch is referenced in the advisory. Administrators running ChurchCRM 5.18.0 or earlier should monitor the ChurchCRM project for future security releases and apply updates promptly when available.
Workarounds
- Remove or rename the setup/ directory after installation to prevent reuse of the setup routes
- Enforce IP allowlisting at the web server layer for any administrative or setup paths
- Place ChurchCRM behind an authenticated reverse proxy to require authentication before reaching application routes
# Example: deny external access to ChurchCRM setup routes in Apache
<Location "/setup">
Require ip 127.0.0.1
Require ip 10.0.0.0/8
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
