Cyber Resilience

CVE-2025-34060

CriticalPublic PoCRCE

Published: 01 July 2025

Published
01 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0189 83.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34060 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Swap (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 16.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A PHP object injection vulnerability exists in the Monero Project’s Laravel-based forum software, stemming from unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. This leads to extraction of the APP_KEY from config/app.php, enabling forged encrypted cookies and unsafe unserialize() calls that result in remote code execution. The issue is tracked as CVE-2025-34060 with a CVSS score of 10.0 and is associated with CWE-20, CWE-502, and CWE-829.

Unauthenticated remote attackers can exploit the flaw over the network without user interaction or credentials. By supplying a malicious link parameter, an attacker can read sensitive configuration data, forge session cookies, and trigger object deserialization to execute arbitrary code on the server, achieving full compromise of the affected forum instance.

The EPSS score remains flat at 0.0189 with no material increase observed since disclosure. Public references at https://swap.gs/posts/monero-forums/ and https://vulncheck.com/advisories/monero-forum-rce provide further technical details on the issue.

EU & UK References

Vulnerability details

A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using…

more

PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Swap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-502

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-829 CWE-502

Isolated execution prevents functionality from an untrusted sphere from affecting the real environment, allowing safe behavioral inspection.

addresses: CWE-20 CWE-502

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-829 CWE-502

Detects and prevents inclusion of malicious functionality downloaded from untrusted control spheres.

addresses: CWE-502 CWE-829

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-829

Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.

addresses: CWE-829

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

References