CVE-2022-45134
Published: 22 August 2025
Summary
CVE-2022-45134 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Mahara Mahara. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-45134 is a critical deserialization vulnerability (CWE-502) affecting Mahara, an open-source web application for managing learning portfolios. Specifically, versions 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 unsafely deserialize user-supplied input during the import of skin files, which are XML-based customization themes. A specially crafted XML file processed during this import can trigger arbitrary code execution on the server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its remote exploitability and comprehensive impact.
The attack requires no authentication or user interaction, allowing unauthenticated remote attackers to exploit it by submitting a malicious XML skin file through the import functionality. Successful exploitation grants attackers full control over the affected Mahara instance, enabling arbitrary code execution with the privileges of the web server process, potentially leading to data theft, modification, or further system compromise.
Mitigation involves upgrading to Mahara 21.10.6, 22.04.4, or 22.10.1, where the deserialization flaw is addressed. Detailed discussions and patches are available in the official advisories at https://bugs.launchpad.net/mahara/+bug/1993082 and https://mahara.org/interaction/forum/topic.php?id=9353.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-48051
Vulnerability details
Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 deserializes user input unsafely during skin import. A particularly structured XML file could cause code execution when being processed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization in public web app import enables arbitrary code execution (T1190) and subsequent command/script execution on server (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the deserialization flaw through patching to fixed Mahara versions.
Requires validation of user-supplied XML input during skin import to prevent unsafe deserialization leading to code execution.
Implements memory protections that hinder arbitrary code execution resulting from successful deserialization exploits.