CVE-2025-5499 Overview
A critical deserialization vulnerability has been discovered in slackero phpwcms versions up to 1.9.45 and 1.10.8. The vulnerability affects the is_file and getimagesize functions within the image_resized.php file. By manipulating the imgfile argument, an attacker can trigger unsafe deserialization, potentially leading to remote code execution on the affected server.
Critical Impact
Remote attackers can exploit this insecure deserialization vulnerability without authentication to potentially execute arbitrary code on vulnerable phpwcms installations.
Affected Products
- phpwcms versions up to and including 1.9.45
- phpwcms versions up to and including 1.10.8
- All installations using the vulnerable image_resized.php component
Discovery Timeline
- 2025-06-03 - CVE-2025-5499 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2025-5499
Vulnerability Analysis
This vulnerability falls under CWE-502 (Deserialization of Untrusted Data) and CWE-20 (Improper Input Validation). The flaw exists in the image processing functionality of phpwcms, specifically within the image_resized.php file. The imgfile parameter is passed to the is_file and getimagesize PHP functions without proper validation or sanitization.
When user-controlled input reaches these functions, it can be crafted to trigger PHP's deserialization mechanism through the phar:// stream wrapper. This technique allows attackers to deserialize arbitrary objects, which can lead to remote code execution if the application contains exploitable gadget chains.
The vulnerability is remotely exploitable and requires no authentication, making it particularly dangerous for internet-facing phpwcms installations.
Root Cause
The root cause of this vulnerability is insufficient input validation of the imgfile parameter in image_resized.php. The application fails to properly sanitize user-supplied input before passing it to file operation functions (is_file and getimagesize). These PHP functions can be manipulated to process phar:// streams, which automatically trigger deserialization of metadata contained within specially crafted PHAR archives.
Attack Vector
The attack is network-based and can be executed remotely without any authentication or user interaction. An attacker can craft malicious requests targeting the image_resized.php endpoint with a specially crafted imgfile parameter value. By leveraging the phar:// stream wrapper, the attacker can force the application to deserialize malicious serialized PHP objects.
The exploitation process typically involves:
- Uploading or hosting a malicious PHAR file containing a serialized payload
- Sending a request to image_resized.php with the imgfile parameter pointing to the PHAR file using the phar:// wrapper
- The is_file or getimagesize function processes the PHAR stream, triggering deserialization
- If exploitable gadget chains exist in the application, arbitrary code execution may occur
For detailed technical information about this vulnerability, refer to the GitHub PoC Repository and VulDB entry #310914.
Detection Methods for CVE-2025-5499
Indicators of Compromise
- Unusual requests to image_resized.php containing phar:// in the imgfile parameter
- Web server logs showing requests with encoded or obfuscated phar:// stream wrapper patterns
- Unexpected file uploads with .phar extensions or PHAR magic bytes in image upload directories
- Anomalous PHP process behavior following requests to the image processing endpoint
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing phar:// stream wrapper patterns
- Monitor HTTP request logs for suspicious imgfile parameter values targeting image_resized.php
- Deploy file integrity monitoring on phpwcms installation directories to detect unauthorized modifications
- Configure intrusion detection systems to alert on deserialization attack patterns
Monitoring Recommendations
- Enable detailed logging for the phpwcms application and web server
- Set up alerts for requests containing phar://, compress.zlib://, or similar PHP stream wrappers
- Monitor for unusual process spawning from PHP or web server processes
- Implement network-level monitoring for outbound connections from the web server to detect potential reverse shells
How to Mitigate CVE-2025-5499
Immediate Actions Required
- Upgrade phpwcms to version 1.9.46 or 1.10.9 immediately
- If immediate upgrade is not possible, restrict access to image_resized.php through web server configuration
- Review server logs for any evidence of exploitation attempts
- Consider temporarily disabling the affected image processing functionality until patching is complete
Patch Information
The phpwcms development team has addressed this vulnerability in versions 1.9.46 and 1.10.9. Users should upgrade to these versions or later to remediate the issue. The patched release is available on the official GitHub repository.
Workarounds
- Block requests containing phar:// at the web server or WAF level before they reach PHP
- Implement input validation to reject any imgfile values containing stream wrapper patterns
- Disable the phar extension in PHP if not required for other application functionality
- Use PHP's disable_functions directive to restrict dangerous functions if feasible
# Apache .htaccess rule to block phar:// requests
RewriteEngine On
RewriteCond %{QUERY_STRING} phar:// [NC,OR]
RewriteCond %{REQUEST_URI} phar:// [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
