PHP Object Injection Vulnerability in Monero Forum Software
CVE-2025-34060

10CRITICAL

Key Information:

Vendor: Monero Project
Status: Forum
Vendor: CVE Published:; 1 July 2025

🔔 Create Monero Project Vulnerability Alert

What is CVE-2025-34060?

The Monero Project’s Laravel-based forum software suffers from a PHP object injection vulnerability due to improper handling of untrusted input in the /get/image/ endpoint. This flaw allows an attacker to manipulate user-supplied link parameters and pass them directly to the file_get_contents() function without adequate sanitization. By exploiting crafted stream filter chains, an attacker can bypass MIME type checks and gain access to sensitive internal Laravel configuration files. Consequently, a malicious user can extract critical application keys and forge encrypted cookies, potentially leading to unauthorized execution of commands and control of the server.

Affected Version(s)

Forum 0

References

https://swap.gs/posts/monero-forums/

technical-description

https://vulncheck.com/advisories/monero-forum-rce

third-party-advisory

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

cfreal