CVE-2025-54366

FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/freescout-help-desk/freescout/commit/9669c57f1ddbee896752d9e16270abfd97b20eb9	Patch
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-vcc2-6r66-gvvj	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-26 04:16

Updated : 2025-09-11 15:54

NVD link : CVE-2025-54366

Mitre link : CVE-2025-54366

CVE.ORG link : CVE-2025-54366

JSON object : View

Products Affected

freescout

freescout

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-54366", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-26T04:16:04.857", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/9669c57f1ddbee896752d9e16270abfd97b20eb9", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-vcc2-6r66-gvvj", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186."}, {"lang": "es", "value": "FreeScout es un servicio de asistencia y bandeja de entrada compartida, ligero, gratuito y de c\u00f3digo abierto, desarrollado con PHP (Laravel framework). En las versiones 1.8.185 y anteriores, existe una vulnerabilidad cr\u00edtica de deserializaci\u00f3n en el endpoint /conversation/ajax que permite a los usuarios autenticados con conocimiento de APP_KEY ejecutar c\u00f3digo remoto. La vulnerabilidad ocurre cuando la aplicaci\u00f3n procesa los par\u00e1metros POST attachments_all y attachments mediante la funci\u00f3n insegura Helper::decrypt(), que realiza una deserializaci\u00f3n insegura de datos controlados por el usuario sin la validaci\u00f3n adecuada. Esta falla permite a los atacantes crear objetos arbitrarios y manipular sus propiedades, lo que compromete por completo la aplicaci\u00f3n web. Esto se corrigi\u00f3 en la versi\u00f3n 1.8.186."}], "lastModified": "2025-09-11T15:54:46.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11FCD8A6-16E4-4335-BAEA-4328A5DFD57D", "versionEndExcluding": "1.8.86"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}