CVE-2025-48475 Overview
CVE-2025-48475 is a broken access control vulnerability in FreeScout, a self-hosted help desk and shared mailbox application. Versions prior to 1.8.180 fail to enforce the limit_user_customer_visibility setting on customer profile actions. Authorized users without access to any mailbox or conversation can still view and edit client records. The flaw is classified under CWE-863: Incorrect Authorization. The maintainers patched the issue in version 1.8.180.
Critical Impact
Low-privileged authenticated users can read and modify customer records they should not have access to, exposing personally identifiable information and enabling unauthorized data modification.
Affected Products
- FreeScout versions prior to 1.8.180
- Self-hosted FreeScout help desk deployments
- FreeScout instances with limit_user_customer_visibility enabled
Discovery Timeline
- 2025-05-29 - CVE-2025-48475 published to NVD
- 2025-07-02 - Last updated in NVD database
Technical Details for CVE-2025-48475
Vulnerability Analysis
FreeScout supports the limit_user_customer_visibility configuration option to restrict which customers a user can see and edit. The application relies on mailbox and conversation membership to determine customer scope. The authorization layer enforces this constraint inconsistently across controllers.
The customer profile endpoints in app/Http/Controllers/CustomersController.php did not call the visibility check before loading customer data. An authenticated user with no mailbox or conversation assignments could enumerate and edit customer profiles directly. This bypasses the intended access boundary between agents and the customer data they handle.
The vulnerability is exploitable over the network by any authenticated account, including newly provisioned low-privilege users. Exploitation requires no special tooling beyond authenticated HTTP requests to customer routes.
Root Cause
The root cause is a missing authorization check on customer profile actions. The controller methods retrieved customer records using Customer::findOrFail($id) without invoking the checkLimitVisibility helper. The limit_user_customer_visibility configuration was honored in some paths but omitted on the affected endpoints.
Attack Vector
An attacker authenticates with any FreeScout user account. The attacker then issues requests to customer profile routes by iterating customer identifiers. The server returns and accepts updates to records regardless of the user's mailbox scope.
// Source: https://github.com/freescout-help-desk/freescout/commit/1f154ce039618ed5abd960c97619c23534c0717a
// Patch applied in app/Http/Controllers/CustomersController.php
{
$customer = Customer::findOrFail($id);
+ $this->checkLimitVisibility($customer);
+
$customer_emails = $customer->emails;
if (count($customer_emails)) {
foreach ($customer_emails as $row) {
The patch adds a checkLimitVisibility($customer) call immediately after the customer is loaded, enforcing the visibility restriction before any data is rendered or modified.
Detection Methods for CVE-2025-48475
Indicators of Compromise
- Authenticated HTTP requests to /customers/{id} routes from accounts with no mailbox assignments
- Sequential enumeration patterns against customer profile endpoints
- Customer record updates originating from user accounts that lack conversation history
- Unexpected customer.updated audit events tied to low-privilege agent accounts
Detection Strategies
- Review FreeScout application logs for customer profile access by users outside their assigned mailbox scope
- Correlate web server access logs against the user-to-mailbox mapping to flag out-of-scope reads
- Alert on bulk GET requests to customer profile URLs originating from a single session
- Inspect database audit trails for customer record modifications by users without conversation activity
Monitoring Recommendations
- Enable verbose logging on customer controller routes in FreeScout
- Forward FreeScout web and application logs to a centralized log platform for correlation
- Establish a baseline of normal customer-access patterns per agent role and alert on deviations
- Monitor for the presence and value of the APP_LIMIT_USER_CUSTOMER_VISIBILITY setting across deployments
How to Mitigate CVE-2025-48475
Immediate Actions Required
- Upgrade FreeScout to version 1.8.180 or later without delay
- Audit existing user accounts and remove unused or unnecessary agent accounts
- Review customer records for unauthorized modifications since the vulnerable version was deployed
- Rotate API tokens and session cookies for accounts that may have been misused
Patch Information
The fix is committed in FreeScout commit 1f154ce and released in version 1.8.180. Details are documented in the GHSA-xvch-f75c-8w8q security advisory. The patch adds an authorization check on customer profile actions so the limit_user_customer_visibility setting is consistently enforced.
Workarounds
- Restrict network access to the FreeScout administrative interface to trusted networks until patching
- Disable or remove user accounts that do not require customer access
- Enable APP_LIMIT_USER_CUSTOMER_VISIBILITY after upgrading to 1.8.180 to enforce per-mailbox scoping
- Review and tighten role assignments so only required users have agent privileges
# Upgrade FreeScout to the patched release
cd /var/www/freescout
php artisan freescout:after-app-update
git fetch --tags
git checkout 1.8.180
composer install --no-dev
php artisan migrate --force
# Enforce customer visibility scoping in .env
echo "APP_LIMIT_USER_CUSTOMER_VISIBILITY=true" >> .env
php artisan config:cache
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

