CVE-2025-2376

CVE-2025-2376 is a critical deserialization vulnerability affecting viames Pair Framework versions up to 1.9.11. The issue resides in the getCookieContent function within the file /src/UserRemember.php of the PHP Object Handler component. By manipulating the cookieName argument, an attacker can trigger improper deserialization, as identified under CWE-20 (Improper Input Validation) and CWE-502 (Deserialization of Untrusted Data). The vulnerability was published on 2025-03-17 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation without requiring user privileges or interaction. An unauthenticated attacker can send crafted requests to manipulate the cookieName parameter, leading to deserialization of untrusted data. Successful exploitation could result in low-level impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other malicious behaviors depending on the deserialized objects.

Advisories from VulDB, including entries at vuldb.com/?ctiid.299875, vuldb.com/?id.299875, and vuldb.com/?submit.515735, document the vulnerability details and submission. A public exploit proof-of-concept is available at gist.github.com/mcdruid/1997e10026833d2d1f3e359d75b5912a.

Security practitioners should note that the exploit has been publicly disclosed, increasing the risk of active exploitation against unpatched viames Pair Framework instances up to 1.9.11.