CVE-2025-43960Deserialization of Untrusted Data in Adminer

CWE-502Deserialization of Untrusted Data5 documents4 sources
Severity
8.6HIGHNVD
EPSS
0.5%
top 36.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Vrana AdminerAdminerDebian Adminer
Timeline
PublishedAug 25

Description

Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a com

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:LExploitability: 3.9 | Impact: 4.7

Affected Packages3 packages

Packagistvrana/adminer4.8.1
NVDadminer/adminer4.8.1

🔴Vulnerability Details

3
GHSA
Adminer PHP Object Injection issue leads to Denial of Service2025-08-25
OSV
Adminer PHP Object Injection issue leads to Denial of Service2025-08-25
OSV
CVE-2025-43960: Adminer 42025-08-25

📋Vendor Advisories

1
Debian
CVE-2025-43960: adminer - Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memor...2025