• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Resolved Roundcube vulnerability CVE-2025-49113

M

Mark_NLD

Basic Pleskian
Server operating system version
Ubuntu 24.04
Plesk version and microupdate number
18.0.56 #2
Roundcube has a new vulnerability: CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Click to expand...

Aleksander Machniak has released a secutity update: Roundcube Webmail 1.6.11

When can we expect this fix to be included in Plesk?
 
Mark_NLD said:
Roundcube has a new vulnerability: CVE-2025-49113
Aleksander Machniak has released a secutity update: Roundcube Webmail 1.6.11
When can we expect this fix to be included in Plesk?
Click to expand...
In addition to the important post above (i.e. Plesk upgrading their support, to enable us all to utilize Roundcube 1.6.11 asap) can Plesk - at the same time - please ensure that Roundcube 1.6.11 (when hosted within Plesk) IS available on PHP 8.4.* NOT just PHP 8.3.* > because currently, we're (yet again) 'stuck' as Plesk (since 18.0.67) still only supports Roundcube on PHP 8.3.* > and in many cases (ours included) PHP 8.3.* isn't needed for anything else...
 
Please find the patch here:


learning_curve said:
can Plesk - at the same time - please ensure that Roundcube 1.6.11 (when hosted within Plesk) IS available on PHP 8.4.* NOT just PHP 8.3.* > because currently, we're (yet again) 'stuck' as Plesk (since 18.0.67) still only supports Roundcube on PHP 8.3.* > and in many cases (ours included) PHP 8.3.* isn't needed for anything else...
Click to expand...

I will double-check when we plan to move Roundcube to PHP 8.4 and will follow up with more details as soon as possible.
 
Sebahat.hadzhi said:
Please find the patch here:
Click to expand...
Thank you @Sebahat.hadzhi That's the most urgent fix very quickly resolved.
In between steps 1. and 2. of the the syntax provided in that patch article, one obvious step is missing, so just posting it here, in case anybody forgets:

Either rename the file to match what the patch command expects:
Bash: 
mv 32537223826583 patch-roundcube-1.6.10-CVE-2025-49113
patch -p1 -d /usr/share/psa-roundcube < patch-roundcube-1.6.10-CVE-2025-49113
Or use the actual filename in the patch command:
Bash: 
patch -p1 -d /usr/share/psa-roundcube < 32537223826583
Both methods work obviously — It's just ensuring that the filename in the redirect < matches the actual file on disk
 
Thank you for pointing that out. I asked our team to add the step and they will update it shortly.

Regarding your other question, our team mentioned that according to Roundcube's documentation, version 1.6 (which we are currently ship) doesn't support 8.4. Thus, at this point, there is no plan for such a shift.
 
Sebahat.hadzhi said:
Regarding your other question, our team mentioned that according to Roundcube's documentation, version 1.6 (which we are currently ship) doesn't support 8.4. Thus, at this point, there is no plan for such a shift.
Click to expand...
My apologies. I was meaning; Roundcube version 1.6.11, as I was assuming that Plesk would be upgrading to that shortly.
However, in fairness, just double checked and Roundcube, won't now fully support PHP 8.4, until version 1.7 > onward anyway, so... :D
 
I just want to confirm that along with Plesk Obsidian 18.0.70 Update 1 our team applied the upstream patch for Roundcube 1.4.15 and 1.6.10 to fix the CVE-2025-49113 vulnerability.

It should be automatically updated on Plesk Obsidian 18.0.69 and 18.0.70. If you are running an older Plesk version, please navigate to Tools & Settings > Updates and run the component updates manually.
 
Last edited:
Sebahat.hadzhi said:
I just want to confirm that along with Plesk Obsidian 18.0.70 Update 1 our team updated Roundcube 1.4.15 and 1.6.10 to fix the CVE-2025-49113 vulnerability.

It should be automatically updated on Plesk Obsidian 18.0.69 and 18.0.70. If you are running an older Plesk version, please navigate to Tools & Settings > Updates and run the component updates manually.
Click to expand...

This explanation is rather confusing and not really helpful. According to the CVE, only version 1.6.11 solves the problem. Thus, a statement that the upgrade to 18.0.70 Update 1 fixes it with version 1.6.10 is misleading. My assumption: You backported this from 1.6.11 in your version 1.6.10. However, that is not properly described. Other than that it is not clear why there is no official update to 1.6.11 yet.
 
B_P said:
This explanation is rather confusing and not really helpful. According to the CVE, only version 1.6.11 solves the problem. Thus, a statement that the upgrade to 18.0.70 Update 1 fixes it with version 1.6.10 is misleading. My assumption: You backported this from 1.6.11 in your version 1.6.10. However, that is not properly described. Other than that it is not clear why there is no official update to 1.6.11 yet.
Click to expand...
IF you've read all of this thread properly, then it's not confusing
The initial, quick response from Plesk to CVE-2025-49113 was a patch, which could be applied manually. This is effectively, back-porting just the "fix" for this problem, from the 1.6.11 release, which is not yet supported by Plesk, to the 1.6.10 release, which is supported by Plesk (at the time of writing).

Then, Plesk released 18.0.70 MU #1 which incorporated this fix into the Plesk supported version of the 1.6.10 release and at the same time, negated the manual application of the patch. If you were late on the uptake / were not aware of the patch, so didn't apply it, the upgrading to 18.0.70 MU #1 made the whole process much easier for you. Any semantics i.e. "...yes but it's not the the 1.6.11 release is it? It's 1.6.10, so... blah blah blah" are not really relevant.
 
I am sorry to disagree, BUT: As someone who typically get across such issues through the original CVE, just reading @Sebahat.hadzhi last message (and also the official release notes of Plesk), the formulation is imprecise. Yes the problem is solved, but through a backport. This should clearly be stated as not everyone might find and read this thread. And people not having read this, wonder how Plesk will have solved this by updating to a vulnerable version. And btw. if packages are modified compared to their original source, the versioning scheme should allow the users to understand that it is not the original version.
 
@B_P Apologies for any possible confusion caused. You are right. Our team applied the upstream patch for RoundCube 1.16, and updated it in order to be compatible with with 1.14.x. I edited my previous reply to clarify that.
 
You must log in or register to reply here.

Similar threads

D
Resolved Roundcube 1.6.4 is released. When will plesk upgrade to it?
Replies
17
Views
6K
470rent
4
K
Issue Emails marked as SPAM, hotmail & Gmail
Replies
0
Views
3K
Koen
K
WebHostingAce
Input Magento 2 | Plesk | Varnish Setup in a Docker
Replies
1
Views
6K
WebHostingAce
WebHostingAce
P
Forwarded to devs Roundcube security updates 1.3.3, 1.2.7 and 1.1.10 released
Replies
2
Views
2K
IgorG
IgorG
S
Resolved Individual subscription - Roundcube Webmail 500 Internal Server Error
Replies
4
Views
4K
seqoi
S
Back
Top