The Saloon PHP library is vulnerable to a critical object injection flaw that can be leveraged to achieve remote code execution by providing malicious serialized OAuth token data.

The library used unserialize() with allowed_classes => true in its AccessTokenAuthenticator class. If an attacker can control the serialized string (e.g., via cache poisoning or file overwrites), they can inject a "gadget" object that triggers malicious code execution through PHP magic methods during instantiation.

This vulnerability can lead to full remote code execution, especially in environments containing common PHP gadget chains like Monolog. The CVSS score of 9.8 reflects the high impact on confidentiality and integrity, as an attacker could gain complete control over the application's execution environment.

Immediate Action: Upgrade the Saloon library to version 4.0.0 or higher. This version removes the dangerous use of PHP serialization for token management.

Proactive Monitoring: Monitor for suspicious activity in application cache directories and review logs for PHP serialization errors or unexpected object types.

Compensating Controls: If upgrading is not immediately possible, ensure that the storage mechanism for OAuth tokens (e.g., Redis, file system) is strictly secured and inaccessible to untrusted users.

Public Exploit Available: false

PHP Object Injection remains a critical threat to modern applications. Users of the Saloon library should migrate to version 4.0.0 immediately to eliminate the use of unserialize() and mitigate the risk of remote code execution.