CVE-2025-11938 Overview
CVE-2025-11938 is a deserialization vulnerability in ChurchCRM versions up to and including 5.18.0. The flaw resides in the setup/routes/setup.php file, where manipulation of the DB_PASSWORD, ROOT_PATH, or URL arguments triggers insecure deserialization of attacker-controlled input. The issue is associated with [CWE-20] Improper Input Validation and [CWE-502] Deserialization of Untrusted Data. The attack can be initiated remotely over the network, though exploitability is rated as difficult due to high attack complexity. The vendor was contacted prior to public disclosure but did not respond, and the exploit details have been made public.
Critical Impact
Remote attackers can submit crafted serialized payloads through the setup route, potentially leading to arbitrary object instantiation and code execution within the ChurchCRM application context.
Affected Products
- ChurchCRM versions up to and including 5.18.0
- Component: setup/routes/setup.php
- Parameters: DB_PASSWORD, ROOT_PATH, URL
Discovery Timeline
- 2025-10-19 - CVE-2025-11938 published to the National Vulnerability Database (NVD)
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-11938
Vulnerability Analysis
The vulnerability exists in the ChurchCRM installation and configuration handler implemented in setup/routes/setup.php. The route accepts user-supplied values for the DB_PASSWORD, ROOT_PATH, and URL parameters during the setup workflow. These values are passed into a deserialization routine without sufficient validation or type filtering. An attacker who reaches the setup endpoint can submit a crafted serialized PHP object that, once unserialized, may invoke magic methods such as __wakeup or __destruct on classes available in the application autoloader. This behavior matches the classic PHP object injection pattern described in [CWE-502].
Exploitation requires the setup route to be reachable and depends on suitable gadget chains being available within the ChurchCRM codebase or loaded libraries. The high attack complexity reflects these preconditions, but successful exploitation can pivot from input handling to arbitrary code execution.
Root Cause
The root cause is unsafe handling of untrusted input passed to a PHP deserialization function inside setup/routes/setup.php. The setup logic trusts attacker-controllable strings as serialized object data instead of treating them as opaque configuration values. Combined with the absence of strict input validation [CWE-20], this allows arbitrary object graphs to be reconstructed in the application memory.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker sends an HTTP request to the setup route with a serialized payload supplied through the DB_PASSWORD, ROOT_PATH, or URL parameter. When the route processes the value, PHP reconstructs the object and triggers gadget methods. Because exploitability is rated as difficult, an attacker typically needs knowledge of the deployed ChurchCRM version, loaded classes, and reachable setup endpoints. Public exploit details exist, lowering the practical barrier for skilled attackers.
No verified proof-of-concept code is available in the enriched data set. Refer to the GitHub Security Advisory for technical detail.
Detection Methods for CVE-2025-11938
Indicators of Compromise
- HTTP requests to setup/routes/setup.php or the /setup path containing serialized PHP markers such as O:, a:, or s: in the DB_PASSWORD, ROOT_PATH, or URL parameters.
- Unexpected PHP worker child processes spawned by the web server user after requests to the setup endpoint.
- Outbound network connections initiated by the ChurchCRM web process to attacker infrastructure following setup route activity.
Detection Strategies
- Inspect web server access and application logs for POST or GET requests to setup routes after initial installation has completed.
- Apply web application firewall (WAF) rules that flag serialized PHP object patterns in request bodies and query parameters.
- Correlate file modifications under the ChurchCRM document root with recent requests to setup/routes/setup.php.
Monitoring Recommendations
- Alert on any access to setup or installer URLs on production ChurchCRM deployments where setup should already be complete.
- Monitor PHP error logs for unserialize() warnings or class autoload failures originating from setup handlers.
- Track integrity of configuration files written during setup, including database credential files, for unauthorized changes.
How to Mitigate CVE-2025-11938
Immediate Actions Required
- Restrict access to the ChurchCRM setup routes immediately, either by network ACL, authentication, or by removing the setup/ directory after installation.
- Audit existing deployments running ChurchCRM 5.18.0 or earlier for evidence of unauthorized setup route access.
- Rotate database credentials and any secrets stored in ChurchCRM if setup endpoints were reachable from untrusted networks.
Patch Information
At the time of publication, the vendor had not responded to the disclosure and no fixed version is referenced in the enriched data. Track the GitHub Security Advisory and the VulDB entry for vendor updates and patched releases. Apply any subsequent ChurchCRM release that explicitly addresses the deserialization flaw in setup/routes/setup.php.
Workarounds
- Block external access to setup/routes/setup.php and other installer paths through web server configuration once initial setup is complete.
- Place ChurchCRM behind authenticated reverse proxy access during any reinstallation or upgrade procedure.
- Remove or rename the setup directory from the document root on production instances where reconfiguration is not in progress.
# Example nginx rule to block external access to the setup route
location ~* ^/setup(/|$) {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
