Deserialization in Roundcube Webmail
CVE-2025-49113
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Vulnerability class: Insecure Deserialization
EPSS: 0.905 (99.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Roundcube Webmail — versions 0, 1.6.0
Weakness classification (CWE)
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Public proof-of-concept exploits
References
- roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
- github.com/roundcube/roundcubemail/pull/9865
- github.com/roundcube/roundcubemail/releases/tag/1.6.11
- github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729…
- github.com/roundcube/roundcubemail/releases/tag/1.5.10
- github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc…
- github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb326…
- fearsoff.org/research/roundcube
- www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection
- www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script
Frequently asked questions
- What is CVE-2025-49113?
- CVE-2025-49113 is a critical-severity vulnerability in Roundcube Webmail, classified under Deserialization of Untrusted Data. CVSS score: 9.9/10. Published 2025-06-02.
- How severe is CVE-2025-49113?
- Critical severity. CVSS v3 base score is 9.9 out of 10.
- Is CVE-2025-49113 known to be exploited?
- Yes. CVE-2025-49113 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-02-20), indicating it is being actively exploited. 62 public proof-of-concept repositories are indexed.