CVE-2025-48389: FreeScout Vulnerable to Deserialization of Untrusted Data

8.6 CVSS

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to deserialization of untrusted data due to insufficient validation. Through the set function, a string with a serialized object can be passed, and when getting an option through the get method, deserialization will occur, which will allow arbitrary code execution This issue has been patched in version 1.8.178.

Classification

CVE ID: CVE-2025-48389

CVSS Base Severity: HIGH

CVSS Base Score: 8.6

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem Types

CWE-502: Deserialization of Untrusted Data

Affected Products

Vendor: freescout-help-desk

Product: freescout

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 27.61% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48389
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jmpv-8q3h-2m8v
https://github.com/freescout-help-desk/freescout/commit/f7548a7076a0b6e109001069d6be223fbd96c61e

Timeline

2025-05-29 16:40:15 UTC
CVE

FreeScout Vulnerable to Deserialization of Untrusted Data