Headline
GHSA-mqh4-2mm8-g7w9: Adminer PHP Object Injection issue leads to Denial of Service
Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-43960
Adminer PHP Object Injection issue leads to Denial of Service
High severity GitHub Reviewed Published Aug 25, 2025 to the GitHub Advisory Database • Updated Aug 25, 2025
Package
composer vrana/adminer (Composer)
Affected versions
<= 4.8.1
Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-43960
- https://github.com/far00t01/CVE-2025-43960
Published to the GitHub Advisory Database
Aug 25, 2025
Last updated
Aug 25, 2025