CVE-2025-63951
HIGH
7,5
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Description
AI Translation Available
An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, causing the application to process them and leading to errors or a denial of service.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0026
Percentile
0,5th
Updated
EPSS Score Trend (Last 87 Days)
502
Deserialization of Untrusted Data
DraftCommon Consequences
Security Scopes Affected:
Integrity
Availability
Other
Potential Impacts:
Modify Application Data
Unexpected State
Dos: Resource Consumption (Cpu)
Varies By Context
Applicable Platforms
Languages:
Java, JavaScript, PHP, Python, Ruby
Technologies:
AI/ML, ICS/OT, Not Technology-Specific
Application
Phoniebox by Sourcefabric
Version Range Affected
To
2025-10-07
(inclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:sourcefabric:phoniebox:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/RPi…
https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/RPi…