Issue Roundcube vulnerability CVE-2025-49113

[Mark_NLD]

Server operating system version

Ubuntu 24.04

Plesk version and microupdate number

18.0.56 #2

Roundcube has a new vulnerability: CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Aleksander Machniak has released a secutity update: Roundcube Webmail 1.6.11

When can we expect this fix to be included in Plesk?

 

[learning_curve]

Roundcube has a new vulnerability: CVE-2025-49113
Aleksander Machniak has released a secutity update: Roundcube Webmail 1.6.11
When can we expect this fix to be included in Plesk?

In addition to the important post above (i.e. Plesk upgrading their support, to enable us all to utilize Roundcube 1.6.11 asap) can Plesk - at the same time - please ensure that Roundcube 1.6.11 (when hosted within Plesk) IS available on PHP 8.4.* NOT just PHP 8.3.* > because currently, we're (yet again) 'stuck' as Plesk (since 18.0.67) still only supports Roundcube on PHP 8.3.* > and in many cases (ours included) PHP 8.3.* isn't needed for anything else...

 

[Sebahat.hadzhi]

Please find the patch here:

• https://support.plesk.com/hc/en-us/...3-Vulnerability-in-Roundcube-on-Plesk-servers

can Plesk - at the same time - please ensure that Roundcube 1.6.11 (when hosted within Plesk) IS available on PHP 8.4.* NOT just PHP 8.3.* > because currently, we're (yet again) 'stuck' as Plesk (since 18.0.67) still only supports Roundcube on PHP 8.3.* > and in many cases (ours included) PHP 8.3.* isn't needed for anything else...

I will double-check when we plan to move Roundcube to PHP 8.4 and will follow up with more details as soon as possible.

 

[learning_curve]

Please find the patch here:

• https://support.plesk.com/hc/en-us/...3-Vulnerability-in-Roundcube-on-Plesk-servers

Thank you @Sebahat.hadzhi That's the most urgent fix very quickly resolved.
In between steps 1. and 2. of the the syntax provided in that patch article, one obvious step is missing, so just posting it here, in case anybody forgets:

Either rename the file to match what the patch command expects:

mv 32537223826583 patch-roundcube-1.6.10-CVE-2025-49113
patch -p1 -d /usr/share/psa-roundcube < patch-roundcube-1.6.10-CVE-2025-49113

Or use the actual filename in the patch command:

patch -p1 -d /usr/share/psa-roundcube < 32537223826583

Both methods work obviously — It's just ensuring that the filename in the redirect < matches the actual file on disk

 

[Sebahat.hadzhi]

Thank you for pointing that out. I asked our team to add the step and they will update it shortly.

Regarding your other question, our team mentioned that according to Roundcube's documentation, version 1.6 (which we are currently ship) doesn't support 8.4. Thus, at this point, there is no plan for such a shift.

 

[learning_curve]

Regarding your other question, our team mentioned that according to Roundcube's documentation, version 1.6 (which we are currently ship) doesn't support 8.4. Thus, at this point, there is no plan for such a shift.

My apologies. I was meaning; Roundcube version 1.6.11, as I was assuming that Plesk would be upgrading to that shortly.
However, in fairness, just double checked and Roundcube, won't now fully support PHP 8.4, until version 1.7 > onward anyway, so...

 

[Sebahat.hadzhi]

There's an initiative for updating Roundcube to 1.6.11, but I cannot provide any ETA yet. I will keep you posted on the progress.

 

[Mark_NLD]

@Sebahat.hadzhi many thanks for the quick patch

​