CVE-2025-59050
Published: 16 September 2025
Summary
CVE-2025-59050 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Getgreenshot Greenshot. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Inter-Process Communication (T1559); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted inputs such as WM_COPYDATA payloads prior to deserialization, preventing arbitrary code execution gadget chains.
Establishes processes to identify, prioritize, and remediate flaws like the unsafe BinaryFormatter.Deserialize usage by patching to version 1.3.301.
Enables vulnerability scanning to identify and monitor systems running vulnerable Greenshot versions affected by CVE-2025-59050.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization triggered via WM_COPYDATA IPC message enables local arbitrary code execution inside the Greenshot process.
NVD Description
Greenshot is an open source Windows screenshot utility. Greenshot 1.3.300 and earlier deserializes attacker-controlled data received in a WM_COPYDATA message using BinaryFormatter.Deserialize without prior validation or authentication, allowing a local process at the same integrity level to trigger arbitrary code…
more
execution inside the Greenshot process. The vulnerable logic resides in a WinForms WndProc handler for WM_COPYDATA (message 74) that copies the supplied bytes into a MemoryStream and invokes BinaryFormatter.Deserialize, and only afterward checks whether the specified channel is authorized. Because the authorization check occurs after deserialization, any gadget chain embedded in the serialized payload executes regardless of channel membership. A local attacker who can send WM_COPYDATA to the Greenshot main window can achieve in-process code execution, which may aid evasion of application control policies by running payloads within the trusted, signed Greenshot.exe process. This issue is fixed in version 1.3.301. No known workarounds exist.
Deeper analysisAI
CVE-2025-59050 is a deserialization vulnerability in Greenshot, an open source Windows screenshot utility. Versions 1.3.300 and earlier are affected due to unsafe use of BinaryFormatter.Deserialize on attacker-controlled data received via a WM_COPYDATA message (message 74) in a WinForms WndProc handler. The handler copies the supplied bytes into a MemoryStream and deserializes them without prior validation or authentication, only checking channel authorization afterward, which allows gadget chains in the payload to execute regardless.
A local attacker with a process at the same integrity level as Greenshot can exploit this by sending a crafted WM_COPYDATA message to the Greenshot main window. This triggers arbitrary code execution within the Greenshot process, potentially enabling evasion of application control policies by running payloads inside the trusted, signed Greenshot.exe process.
The vulnerability is fixed in Greenshot version 1.3.301, as detailed in the project's security advisory (GHSA-8f7f-x7ww-xx5w) and the associated commit (f5a29a2ed3b0eb49231c0f4618300f488cf1b04d). No known workarounds exist.
Details
- CWE(s)