0037219: Security: Add allowed_classes => false to unserialize() calls to prevent PHP Object Injection

ID	Project	Category	View Status	Date Submitted	Last Update
0037219	mantisbt	security	public	2026-05-31 18:33	2026-05-31 19:32

Reporter	xananasx7	Assigned To	community
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	assigned	Resolution	open

Summary	0037219: Security: Add allowed_classes => false to unserialize() calls to prevent PHP Object Injection
Description	The following functions call unserialize() without specifying allowed_classes: filter_api.php (filter deserialization from session/database) email_queue_api.php (email queue deserialization) safe_unserialize() helper This leaves them potentially vulnerable to PHP Object Injection (POI) via gadget chains using classes already loaded in memory, even when the data source appears trusted. Fix: Add ['allowed_classes' => false] as a defence-in-depth hardening measure. The deserialized data in these locations is always a plain array of scalar values — no object instantiation is expected — so this change does not affect functionality. GitHub PR with the fix: https://github.com/mantisbt/mantisbt/pull/2229
Tags	No tags attached.

dregad 2026-05-31 19:11 developer ~0071207	Thanks for creating the issue. I'll review the PR as time allows.