CVE-2025-34060

Monero Forum Remote Code Execution via Arbitrary File Read and Cookie Forgery

Description

A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.

Category

10.0
CVSS
Severity: Critical
CVSS 4.0 •
EPSS 0.19%
Third-Party Advisory vulncheck.com
Affected: Monero Project Forum
Published at:
Updated at:

References

Link Tags
https://swap.gs/posts/monero-forums/ technical description
https://vulncheck.com/advisories/monero-forum-rce third party advisory

Frequently Asked Questions

What is the severity of CVE-2025-34060?
CVE-2025-34060 has been scored as a critical severity vulnerability.
How to fix CVE-2025-34060?
To fix CVE-2025-34060, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-34060 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-34060 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-34060?
CVE-2025-34060 affects Monero Project Forum.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.