CVE-2026-25524: OpenMage LTS: Phar Deserialization leads to Remote Code Execution
PHP functions such as getimagesize(), file_exists(), and is_readable() can trigger deserialization when processing phar:// stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a phar:// path can achieve arbitrary code execution.
| Metric | Value | Justification |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable via file upload and web requests |
| Attack Complexity (AC) | High | Requires file upload + triggering phar:// access |
| Privileges Required (PR) | None | Some upload vectors don’t require authentication |
| User Interaction (UI) | None | Exploitation is automatic once triggered |
| Scope (S) | Unchanged | Impacts the vulnerable component |
| Confidentiality (C) | High | Full system access via RCE |
| Integrity (I) | High | Arbitrary code execution |
| Availability (A) | High | Complete system compromise possible |
References
Code Behaviors & Features
Detect and mitigate CVE-2026-25524 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →