CVE-2025-4905 MEDIUM

CVE-2025-4905: iop-apl-uw basestation3 QC.py load_qc_pickl deserialization

Vendor Iop-Apl-Uw
Product basestation3
Weakness CWE-502 · Unsafe deserialization
Published May 19, 2025
Last update May 19, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic. This issue affects the function load_qc_pickl of the file basestation3/QC.py. The manipulation of the argument qc_file leads to deserialization. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The code maintainer tagged the issue as closed. But there is no new commit nor release in the GitHub repository available so far.

Key dates

02Disclosure timeline

May 19, 2025 CVE published
May 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-34060 Monero Forum Remote Code Execution via Arbitrary File Read and Cookie Forgery CVE-2025-47163 Microsoft SharePoint Server Remote Code Execution Vulnerability CVE-2023-32513 WordPress GiveWP Plugin <= 2.25.3 is vulnerable to PHP Object Injection CVE-2022-39198 Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass CVE-2024-8016 The Events Calendar Pro <= 7.0.2 - Authenticated (Administrator+) PHP Object Injection to Remote Code Execution