CVE-2025-34060

Published Jul 1, 2025 Modified Apr 15, 2026 CWE-20 CWE-502 CWE-829

Description

A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.

Weakness Type (CWE)

CWE-20 Improper Input Validation
CWE-502 Deserialization of Untrusted Data
CWE-829 CWE-829

References

Frequently Asked Questions

What is CVE-2025-34060? +
A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.
How do I check if I'm vulnerable to CVE-2025-34060? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-13826

Zervit's portable HTTP/web server is vulnerable to remote DoS attacks when a configuration reset request is made. The vulnerability is …
CVE-2026-44522

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to …
CVE-2024-54011

Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in …
CVE-2026-6409

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured …
CVE-2025-23202

Bible Module is a tool designed for ROBLOX developers to integrate Bible functionality into their games. The `FetchVerse` and `FetchPassage` …
CVE-2025-24501

An improper input validation allows an unauthenticated attacker to alter PAM logs by sending a specially crafted HTTP request.

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-34060 — free, no signup required.

Start Free Scan