--[ Security Advisory: PHP Object Injection in Vfront 0.99.52 (CVE-2025-60641)

Published Date: October 11, 2025 
CVE ID: CVE-2025-60641

--[ Summary

A PHP Object Injection vulnerability (CWE-502: Deserialization of Untrusted
Data) was discovered in Vfront 0.99.52, specifically in the mexcel.php
file. The vulnerability allows unauthenticated remote attackers to inject
arbitrary PHP objects via crafted serialized data, potentially leading to
Remote Code Execution (RCE), SQL Injection, Path Traversal, or Denial of
Service (DoS), depending on exploitable classes in the Vfront codebase or
its dependencies.

--[ Affected Software

Product: Vfront Versions: 0.99.52 Component: mexcel.php file

--[ Vulnerability Details

The mexcel.php file in Vfront 0.99.52 processes user-supplied input from the
$_POST['mexcel'] parameter, which is decoded from base64 and passed to the
PHP unserialize() function without validation or use of the allowed_classes
option. This occurs at:

https://github.com/marciuz/vfront/blob/5ed843cdd3eb95faf8e8d0e727a7c3d34f2151d3/mexcel.php#L23
php$_data = unserialize(base64_decode($_POST['mexcel']));

This insecure deserialization allows attackers to submit a crafted
base64-encoded serialized string via the mexcel POST parameter, enabling
injection of arbitrary PHP objects.

--[ Mitigation

Remove or Restrict mexcel.php: Delete the file post-installation or restrict access via server configuration
Validate Input: Modify mexcel.php to sanitize $_POST['mexcel'] or use allowed_classes in unserialize()

--[ Disclosure Timeline

2025-08-15: Vulnerability discovered during code review.
2025-10-10: CVE-2025-60641 assigned by MITRE.
2025-10-11: Public advisory published.

--[ References

Vfront Official Website: http://vfront.com
CVE Record: CVE-2025-60641 (to be updated upon publication)
CWE-502: Deserialization of Untrusted Data (https://cwe.mitre.org/data/definitions/502.html)

--[ 	Index	 ]--