CVE-2025-57889 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP applications. Specifically, this vulnerability affects the RealMag777 InPost Gallery software up to version 2.1.4.5. The flaw allows for PHP Local File Inclusion (LFI), which means an attacker can manipulate the filename parameter in the include or require statement to load arbitrary files from the local filesystem. This can lead to the execution of malicious code, disclosure of sensitive information, or further exploitation of the system. The vulnerability is remotely exploitable over the network (AV:N), but requires high attack complexity (AC:H) and low privileges (PR:L), with no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), indicating that successful exploitation can lead to full system compromise. No known public exploits are reported yet, and no patches have been linked at the time of publication. The vulnerability arises from insufficient validation or sanitization of user-supplied input used in dynamic file inclusion, a common PHP security issue that can be leveraged to execute arbitrary PHP code or read sensitive files. Given the nature of InPost Gallery as a web-based gallery management system, this vulnerability could be exploited to gain unauthorized access to web server files, configuration data, or escalate privileges within the hosting environment.

For European organizations using RealMag777 InPost Gallery, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive images, user data, or internal documents hosted within the gallery. Additionally, attackers could execute arbitrary code on the web server, potentially pivoting to other internal systems or deploying ransomware or other malware. This could result in data breaches, service disruptions, reputational damage, and regulatory non-compliance under GDPR due to unauthorized data exposure. Organizations relying on InPost Gallery for public-facing or internal content management are particularly at risk, especially if the software is deployed without adequate network segmentation or hardened configurations. The high impact on confidentiality, integrity, and availability means that exploitation could disrupt business operations and compromise critical data assets.

Organizations should immediately audit their use of InPost Gallery and identify any installations running versions up to 2.1.4.5. Since no official patches are currently available, temporary mitigations include disabling or restricting access to vulnerable include/require functionality through web application firewalls (WAFs) or PHP configuration settings. Input validation and sanitization should be enforced at the application level to prevent malicious filename parameters. Restricting file system permissions for the web server user can limit the scope of file inclusion. Network-level controls should limit access to the gallery application to trusted users or IP ranges. Monitoring web server logs for suspicious include parameter usage and deploying intrusion detection systems can help detect exploitation attempts. Organizations should also engage with the vendor for patch release timelines and apply updates promptly once available. As a longer-term measure, consider migrating to more secure gallery management solutions or implementing code reviews to eliminate unsafe dynamic includes.