CVE-2025-49113: 
PHP vulnerability analysis and mitigation

CVE-2025-49113 is a critical vulnerability affecting Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11. The vulnerability was discovered by Kirill Firsov and disclosed on June 1, 2025. It allows remote code execution by authenticated users due to improper validation of the _from parameter in program/actions/settings/upload.php, which leads to PHP Object Deserialization (NVD, Roundcube News).

The vulnerability is classified as a PHP Object Deserialization issue (CWE-502) where the _from parameter in a URL is not properly validated in the upload.php file. The vulnerability has received a CVSS v3.1 score of 9.9 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (NVD, Wiz).

The vulnerability has a critical severity rating with potential for complete system compromise. As a post-authentication remote code execution vulnerability, it allows authenticated users to execute arbitrary code on the affected system. According to Shadowserver Foundation, approximately 84,000 internet-facing installations, predominantly in Europe, Asia, and North America, remain vulnerable (Help Net Security).

The vulnerability has been fixed in Roundcube Webmail versions 1.5.10 and 1.6.11. System administrators are strongly recommended to update all productive installations to these versions immediately. The fix includes improved validation of URL parameters and the implementation of a helper method to check for simple strings. Organizations should also monitor file uploads, session activity, and other indicators tied to this attack vector (Roundcube News, GitHub Release).

The security update has received positive community response on GitHub, with multiple users reacting positively to the release announcement. The fix was acknowledged as an important security update, with 17 users giving it a thumbs up reaction and additional heart and celebration reactions (GitHub Release).