CVE-2025-25691: PrestaShop Theme Import PHAR Deserialization Vulnerability

Welcome back to the blog! Today, we're diving into CVE-2025-25691, a concerning vulnerability affecting PrestaShop, a popular e-commerce platform. This flaw could allow attackers to execute arbitrary code on vulnerable stores.

🔍 TL;DR Summary

CVE-2025-25691 is a PHAR deserialization vulnerability in PrestaShop v8.2.0's theme import functionality. By sending a specially crafted POST request, an attacker can potentially execute arbitrary code on the server. This could lead to a complete compromise of the e-commerce store.

🚨 Vulnerability Details

• CVE ID: CVE-2025-25691
• Description: A PHAR deserialization vulnerability exists in the `/themes/import` component of PrestaShop v8.2.0. An attacker can exploit this vulnerability by sending a malicious POST request, leading to arbitrary code execution.
• CVSS Score and Vector:
  • CVSS v3.1 Score: 6.5 (Medium)
  • CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • Explanation: This vulnerability has a medium severity rating. The attack vector is network-based (AV:N), meaning it can be exploited remotely. The attack complexity is low (AC:L), requiring minimal effort from the attacker. No privileges are required (PR:N), and no user interaction is necessary (UI:N). The scope is unchanged (S:U), and the impact is limited to low confidentiality (C:L) and low integrity (I:L). Availability is not affected (A:N). This generally translates to some data leakage and the potential for limited data modification.
• Exploit Requirements: An attacker needs to be able to send a POST request to the `/themes/import` endpoint. No authentication is required.
• Affected Vendor, Product, Version: PrestaShop v8.2.0
• CWE:
  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-502: Deserialization of Untrusted Data
  • Explanation: This vulnerability combines command injection and deserialization of untrusted data. The application deserializes attacker-controlled data without proper validation, allowing for the execution of arbitrary commands.

📅 Timeline of Events

• 2025-07-30: CVE-2025-25691 was published.

🧠 Exploitability & Real-World Risk

PHAR deserialization vulnerabilities can be particularly dangerous. In this case, an attacker could craft a malicious PHAR archive and upload it through the theme import functionality. When the application attempts to process the PHAR archive, the malicious code within it will be executed. This could allow the attacker to gain complete control over the PrestaShop installation, potentially stealing sensitive customer data, modifying product information, or even using the server for malicious purposes.

Given PrestaShop's popularity, this vulnerability poses a significant risk to many online stores. It is crucial to apply the necessary patches or mitigations as soon as possible.

🛠️ Recommendations

• Upgrade PrestaShop: The most effective solution is to upgrade to a patched version of PrestaShop as soon as it becomes available.
• Monitor Theme Imports: Carefully monitor all theme import activity for any suspicious files or patterns.
• Web Application Firewall (WAF): Implement a WAF with rules to detect and block malicious PHAR uploads.
• Disable Theme Import (if possible): If you do not need the theme import functionality, consider disabling it altogether.

🧪 Technical Insight

The vulnerability arises because PrestaShop's theme import feature does not properly validate the uploaded PHAR archive. PHAR archives can contain serialized PHP objects, and when these objects are deserialized, they can trigger the execution of arbitrary code. By crafting a PHAR archive with a malicious serialized object, an attacker can exploit this flaw.

🙌 Credit to Researcher(s)

The researcher(s) who discovered this vulnerability are credited in the associated security advisories and vulnerability reports. Please refer to the references below for more details.

🔗 References

• CVE-2025-25691 Exploit Details
• PrestaShop Official Website
• PrestaShop GitHub Repository
• Dem0 Website
• Dem0 Admin URL

🧵 Tags

#PrestaShop #CVE-2025-25691 #PHARDeserialization #RemoteCodeExecution #EcommerceSecurity #ThemeImportVulnerability

Summary: CVE-2025-25691 is a PHAR deserialization vulnerability in PrestaShop v8.2.0 that allows remote attackers to execute arbitrary code by uploading a specially crafted theme file. This can lead to complete compromise of the e-commerce store. Users are advised to upgrade or apply the recommended mitigations immediately.

CVE ID: CVE-2025-25691

Risk Analysis: Successful exploitation could allow the attacker to gain complete control over the PrestaShop installation, potentially stealing sensitive customer data, modifying product information, or even using the server for malicious purposes.

Recommendation: Upgrade PrestaShop to a patched version, monitor theme imports, implement a WAF, and disable theme import if not needed.

Timeline

• 2025-07-30: CVE-2025-25691 was published

References

• https://github.com/3em0/cve_repo/blob/main/preshop/CVE-2025-25691.md
• http://prestashop.com
• https://github.com/PrestaShop/PrestaShop
• http://dem0.com
• http://dem0.com/admin/index.php/improve/design/themes/import?_token=btRUtV2Om2noliZZjeFQZhlMY3gYivjABbPOjP91L6U