CVE-2025-0841

High

Published: 29 January 2025

Published

29 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0017 37.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Aridius XYZ up to 20240927 on OpenCart and classified as critical. This vulnerability affects the function loadMore of the component News. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.

Security Summary

CVE-2025-0841 is a critical deserialization vulnerability (CWE-20, CWE-502) affecting Aridius XYZ versions up to 20240927, a component running on OpenCart. The issue resides in the loadMore function of the News component, where remote manipulation triggers unsafe deserialization.

The vulnerability enables remote exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing scope (S:U). Successful attacks can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding an overall CVSS 3.1 score of 7.3.

Advisories, including those from VulDB, recommend upgrading the affected Aridius XYZ component to mitigate the issue. A public exploit has been disclosed, with a proof-of-concept available on a GitHub Gist and further details on VulDB entries.

Details

CWE(s): CWE-20CWE-502

References

https://gist.github.com/mcdruid/52383f40d11becb79ce4033cb46546eb
cna@vuldb.com
https://vuldb.com/?ctiid.293998
cna@vuldb.com
https://vuldb.com/?id.293998
cna@vuldb.com
https://vuldb.com/?submit.485445
cna@vuldb.com