CVE-2025-32957

Description

### Details The application's restore function allows users to upload a `.zip` file, which is then automatically extracted. A PHP file inside the archive is included using `require_once` without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. Vector: Malicious ZIP upload + insecure `require_once` ### PoC 1. Restore backup ![image](https://github.com/user-attachments/assets/9e59768a-4a8e-472d-aaef-5d54546080f6) 1. Load file shell (insecure `require_once`) ![image](https://github.com/user-attachments/assets/8f7919a2-c7f3-4ae1-af6c-1b0057e4ba22) ![image](https://github.com/user-attachments/assets/c10ef049-459d-429e-a608-8fb220c3387f) ### Impact Remote Code Execution (RCE)

How to fix CVE-2025-32957

To remediate CVE-2025-32957, upgrade the affected package to a fixed version below.

—upgrade to 5.2.3 or later

Is CVE-2025-32957 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.2.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N