tonyharris.io

PoC Week 2025-09-29

Posted on Sep 29, 2025

The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2025-9083

  • Severity: 9.8 CRITICAL
  • Impacted Products: Ninja Forms WordPress plugin before 3.11.1
  • Description: The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-9083
  • PoC: https://wpscan.com/vulnerability/60b4d7fc-5d23-4dcf-bd7f-e202cabc2625/

CVE-2025-59528

  • Severity: 10 CRITICAL
  • Impacted Products: Flowise 3.0.5
  • Description: Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-59528
  • PoC: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p

CVE-2025-59352

  • Severity: 8.8 HIGH
  • Impacted Products: Dragonfly < 2.1.0
  • Description: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-59352
  • PoC: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf

CVE-2025-59340

  • Severity: 8.8 HIGH
  • Impacted Products: jinjava < 2.8.1
  • Description: jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.
  • Remediation: Follow developer advice.
  • More Info: NVD - CVE-2025-59340
  • PoC: https://github.com/HubSpot/jinjava/security/advisories/GHSA-m49c-g9wr-hv6v

CVE-2025-57631

CVE-2025-5305

References

This list was scraped from the quite amazing and highly recommended newsletters below:

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.