GHSA-mqh4-2mm8-g7w9

Source

https://github.com/advisories/GHSA-mqh4-2mm8-g7w9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-mqh4-2mm8-g7w9/GHSA-mqh4-2mm8-g7w9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-mqh4-2mm8-g7w9

Aliases

CVE-2025-43960

Published

2025-08-25T15:32:00Z

Modified

2025-08-25T22:27:27.794699Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

Adminer PHP Object Injection issue leads to Denial of Service

Details

Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention.

Database specific

{
    "nvd_published_at": "2025-08-25T14:15:30Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-25T21:50:01Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Packagist / vrana/adminer

Package

Name: vrana/adminer
Purl: pkg:composer/vrana/adminer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.8.1

Affected versions

v4.*

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.3.0

v4.3.1

v4.4.0

v4.5.0

v4.6.0

v4.6.1

v4.6.2

v4.6.3

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.7.4

v4.7.5

v4.7.6

v4.7.7

v4.7.8

v4.7.9

v4.8.0

v4.8.1