{ "threat_severity" : "Critical", "public_date" : "2025-06-02T00:00:00Z", "bugzilla" : { "description" : "roundcubemail: Remote Code Execution in Roundcube via Unvalidated _from Parameter", "id" : "2369696", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2369696" }, "cvss3" : { "cvss3_base_score" : "9.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-502", "details" : [ "Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.", "A flaw was found in Roundcube Webmail. This vulnerability allows remote code execution by authenticated users via PHP object deserialization through unvalidated _from parameter in upload.php." ], "statement" : "Red Hat has evaluated this vulnerability and its related components. No products are affected as Roundcube Webmail is not shipped in the Red Hat Product Portfolio.", "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-49113\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-49113\nhttps://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d\nhttps://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695\nhttps://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e\nhttps://github.com/roundcube/roundcubemail/pull/9865\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.5.10\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.6.11\nhttps://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ], "name" : "CVE-2025-49113", "mitigation" : { "value" : "To mitigate this vulnerability, update Roundcube Webmail to version 1.5.10 or 1.6.11, which addresses the issue by properly validating the _from parameter in upload.php.", "lang" : "en:us" }, "csaw" : false }