CVE-2025-59050: 
Greenshot vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-59050) was discovered in Greenshot, an open-source Windows screenshot utility. The vulnerability affects versions 1.3.300 and earlier, disclosed on September 16, 2025. The flaw allows local attackers to execute arbitrary code within the trusted Greenshot.exe process through unsafe deserialization of attacker-controlled data received via WM_COPYDATA messages (GitHub Advisory, NVD).

The vulnerability stems from Greenshot's WinForms WndProc handler for WM_COPYDATA (message 74) that processes incoming data without proper validation. The application deserializes attacker-controlled bytes using BinaryFormatter.Deserialize() before performing any authorization checks. This unsafe deserialization occurs when the application copies supplied bytes into a MemoryStream and invokes BinaryFormatter.Deserialize, with authorization checks happening only after the deserialization process. The vulnerability has received a CVSS v3.1 base score of 8.4 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability enables local attackers to achieve in-process code execution, which can aid in evading application control policies by running payloads within the trusted, signed Greenshot.exe process. This is particularly concerning in enterprise environments where attackers may leverage the vulnerability for stealthy in-memory execution, persistence, or as a staging point for further attacks. The execution occurs inside the legitimate Greenshot process, making detection more challenging for traditional security solutions (GBHackers).

The vulnerability has been patched in Greenshot version 1.3.301, released on September 16, 2025. Users are strongly advised to update to this version immediately. No known workarounds exist for earlier versions (NVD, GitHub Advisory).