Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction

Description

GitHub Security Advisory Draft — GM-374

Summary

Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, enabling object injection if an attacker can control the serialized data source.

Severity

CVSS 3.1: 8.0 (High) — AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Component

  • Package: pimcore/pimcore and pimcore/admin-ui-classic-bundle
  • Files:
  • lib/Tool/Authentication.php (line 82) — session token deserialization
  • models/Site/Dao.php (line 68) — site domains from database
  • models/DataObject/ClassDefinition/CustomLayout/Dao.php (line 69) — layout definitions from database
  • models/Tool/TmpStore/Dao.php (line 64) — temporary store data from database
  • models/Asset/WebDAV/Service.php (line 36) — delete log from filesystem
  • admin-ui-classic-bundle/src/Helper/Dashboard.php (line 64) — dashboard config from filesystem

Description

Six locations in Pimcore core call unserialize() directly (bypassing Tool\Serialize) on data sourced from database columns or filesystem files without passing the allowed_classes parameter. This means any class available in the autoloader will be instantiated during deserialization.

If an attacker can write to the data source (e.g., via SQL injection targeting the tmp_store, sites, or custom_layouts tables, or via a file write vulnerability targeting the WebDAV delete log), they can inject serialized PHP gadget chains that execute arbitrary code when the data is deserialized.

This is related to but distinct from the Tool\Serialize::unserialize() issue — these calls bypass the wrapper entirely.

Impact

PHP object injection leading to Remote Code Execution when chained with a data source write vulnerability. Pimcore's dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides numerous known gadget chains.

Proof of Concept

  1. Identify a writable data source (e.g., tmp_store table via SQL injection, or webdav-delete.dat via file write)
  2. Write a serialized PHP gadget chain (e.g., Monolog BufferHandler chain from phpggc)
  3. Trigger the deserialization (e.g., access a page that reads TmpStore, or trigger a WebDAV operation)
  4. The gadget chain executes with web server privileges

Suggested Fix

Add allowed_classes parameter to all unserialize() calls. Where no objects are needed, use ['allowed_classes' => false]. Consider migrating to JSON serialization for data that doesn't require object preservation.

// Example fix for Site/Dao.php:
$siteDomains = unserialize($site['domains'], ['allowed_classes' => false]);

// Example fix for TmpStore/Dao.php:
$item['data'] = unserialize($item['data'], ['allowed_classes' => false]);

References

  • CWE-502: Deserialization of Untrusted Data
  • OWASP Deserialization Cheat Sheet
  • phpggc: PHP Generic Gadget Chains

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-27 16:57:04 UTC
Updated
2026-07-10 19:07:30 UTC
GitHub reviewed
2026-05-27 16:57:04 UTC

EPSS Score

Score Percentile
0.20% 42.47%

CVSS Scores

Base score Version Severity Vector
8.0 3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

CWEs

CWE id Name
CWE-502 Deserialization of Untrusted Data

Credits

  • tikket1 (reporter)
  • kingjia90 (analyst)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer pimcore/pimcore >= 12.0.0-RC1, <= 12.3.6 12.3.7
composer pimcore/pimcore <= 11.5.16 11.5.17
composer pimcore/pimcore >= 2026.1.0, < 2026.1.3 2026.1.3

References

cvelogic Threat Intelligence