| Name | CVE-2025-43960 |
| Description | Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| adminer (PTS) | bullseye | 4.7.9-2 | vulnerable |
| bookworm | 4.8.1-1 | vulnerable | |
| trixie | 5.2.1+dfsg-1 | vulnerable | |
| forky, sid | 5.3.0+dfsg-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| adminer | source | (unstable) | (unfixed) | unimportant |
https://github.com/far00t01/CVE-2025-43960
https://github.com/vrana/adminer/issues/1193
Only an issues when using php-monolog, which isn't the case for the Debian packaging