CVE-2025-43960
Published: 25 August 2025
Summary
CVE-2025-43960 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adminer Adminer. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique OS Exhaustion Flood (T1499.001); ranked in the top 33.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-43960 is a denial-of-service vulnerability affecting Adminer 4.8.1 when Monolog is used for logging. It stems from a PHP object injection issue triggered by a crafted serialized payload, such as one using an excessively large string length like s:1000000000. This causes significant memory consumption, rendering the Adminer interface unresponsive and leading to server-level resource exhaustion. The vulnerability is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L) and is associated with CWE-502 (Deserialization of Untrusted Data).
Remote, unauthenticated attackers can exploit this vulnerability by sending a malicious serialized object to Adminer. Successful exploitation forces excessive memory usage, resulting in a denial of service where the server becomes unresponsive. While the server may recover after several minutes, multiple simultaneous requests can precipitate a complete crash requiring manual intervention.
References indicate mitigation through upgrading to Adminer 4.8.2, as shown in the GitHub compare between v4.8.1 and v4.8.2 releases. A proof-of-concept exploit is available in the repository at github.com/far00t01/CVE-2025-43960, and additional details can be found on the official Adminer site at adminer.org and the Monolog repository at github.com/Seldaek/monolog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25694
Vulnerability details
Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized…
more
object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-43960 enables unauthenticated remote attackers to trigger PHP Object Injection in Adminer with Monolog, causing memory exhaustion that renders the application unresponsive or crashes the server, facilitating OS exhaustion flood (T1499.001), application exhaustion flood (T1499.003), and application/system exploitation for DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the PHP object injection vulnerability by applying patches like upgrading Adminer to version 4.8.2, eliminating the root cause of memory exhaustion.
Denial-of-service protection implements mechanisms like rate limiting and resource quotas to block or limit crafted serialized payloads causing excessive memory consumption and server crashes.
Information input validation detects and rejects malformed serialized payloads with excessive lengths before they reach the Monolog logging mechanism, mitigating the object injection trigger.