CVE-2025-67031 Overview
CVE-2025-67031 is an authenticated Remote Code Execution (RCE) vulnerability in ORSEE (Online Recruitment System for Economic Experiments) version 3.1.0. The flaw resides in the participant profile field processing subsystem. Specific field configurations accept values prefixed with func:, which the application passes directly into PHP eval() calls inside tagsets/participant.php and tagsets/options.php. An authenticated user who can modify participant profile fields can execute arbitrary PHP code on the host. The issue is tracked under CWE-94: Improper Control of Generation of Code.
Critical Impact
Authenticated attackers can execute arbitrary PHP code on the ORSEE host through participant profile fields, leading to full application compromise and potential pivot to the underlying server.
Affected Products
- ORSEE (Online Recruitment System for Economic Experiments) 3.1.0
- tagsets/participant.php component
- tagsets/options.php component
Discovery Timeline
- 2026-05-15 - CVE-2025-67031 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2025-67031
Vulnerability Analysis
The vulnerability is a code injection flaw in ORSEE 3.1.0's participant profile processing logic. ORSEE supports field configurations that allow administrators to define dynamic profile values. When a field value begins with the prefix func:, the application strips the prefix and passes the remaining string directly into a PHP eval() call. This behavior exists in both tagsets/participant.php and tagsets/options.php.
Because user-controlled data reaches eval() without sanitization or sandboxing, any authenticated user with sufficient privileges to set or modify these field values can execute arbitrary PHP code. The exploit requires low privileges and no user interaction, but does require valid authentication.
Exploitation grants the attacker the privileges of the PHP process, typically the web server user. From there, an attacker can read application secrets, exfiltrate participant data, modify experiment records, or attempt local privilege escalation against the host.
Root Cause
The root cause is the use of PHP eval() on attacker-controllable input. The func: prefix acts as an opt-in directive that instructs ORSEE to treat the remainder of the string as executable PHP. No allowlist, syntax check, or sandbox restricts the evaluated code. This is a textbook [CWE-94] code injection defect.
Attack Vector
The attack vector is network-based and authenticated. An attacker first obtains valid credentials to the ORSEE administrative interface. The attacker then submits a participant profile field value beginning with func: followed by arbitrary PHP code. When ORSEE renders or processes the field through tagsets/participant.php or tagsets/options.php, the eval() call executes the supplied code in the context of the web server.
For a detailed walkthrough of the exploitation path, see the Medium analysis of CVE-2025-67031. The vulnerable source is available in the ORSEE 3.1.0 GitHub archive.
Detection Methods for CVE-2025-67031
Indicators of Compromise
- Participant profile field values that begin with the literal prefix func: followed by PHP syntax such as system(, exec(, shell_exec(, passthru(, or file_put_contents(.
- Unexpected child processes spawned by the PHP-FPM or Apache worker hosting ORSEE.
- New or modified PHP files in the ORSEE web root, particularly webshells dropped by file_put_contents() calls.
- Outbound network connections from the ORSEE host to unfamiliar IP addresses immediately after profile updates.
Detection Strategies
- Audit the ORSEE database for any record in participant profile or options tables whose value starts with func:.
- Monitor web server access logs for POST requests to ORSEE administrative endpoints handling participant fields, correlated with subsequent process or file system anomalies.
- Inspect PHP error logs for syntax errors originating from tagsets/participant.php and tagsets/options.php, which can indicate failed injection attempts.
Monitoring Recommendations
- Enable file integrity monitoring on the ORSEE installation directory to detect webshell creation.
- Log and alert on PHP process executions of system, exec, shell_exec, and passthru originating from the web server user.
- Track authentication events for ORSEE administrative accounts and flag logins from unexpected geolocations or IP ranges.
How to Mitigate CVE-2025-67031
Immediate Actions Required
- Restrict access to the ORSEE administrative interface to trusted networks using a reverse proxy or firewall rules.
- Rotate credentials for all ORSEE administrative accounts and enforce strong, unique passwords.
- Audit existing participant profile and options records and remove any entries that begin with the func: prefix.
- Review web server and PHP logs for prior exploitation attempts dating back to the deployment of ORSEE 3.1.0.
Patch Information
No official vendor patch is referenced in the NVD entry for CVE-2025-67031 at the time of publication. Operators should monitor the ORSEE GitHub repository for an updated release that removes the func: evaluation path. Until a patch is available, apply the workarounds below.
Workarounds
- Modify tagsets/participant.php and tagsets/options.php to remove the eval() call or to reject any input beginning with func:.
- Disable the eval function at the PHP level by adding it to the disable_functions directive in php.ini if no legitimate ORSEE functionality depends on it.
- Restrict the database accounts used by ORSEE so that compromise of the web tier cannot escalate to unrelated databases on the same server.
- Deploy a web application firewall rule that blocks request bodies containing the func: prefix in participant field parameters.
# Configuration example: disable eval in php.ini
disable_functions = eval,exec,system,shell_exec,passthru,popen,proc_open
# Restart PHP-FPM to apply
sudo systemctl restart php-fpm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

