### Vulnerability Summary **Vulnerability Overview** A security vulnerability related to unsafe deserialization has been fixed in the Redis/RedisCache session handler of Roundcube email client. The flaw allowed remote attackers to achieve arbitrary file write during the pre-echo phase, due to improper handling of serialized data. **Affected Scope** Roundcube instances configured to use Redis or RedisCache as their session storage backend. **Fix Description** The fix implements a security hardening measure in `program/include/soap.php` by registering an autoloader via `spl_autoload_register` and explicitly blocking any deserialization attempts through `\Roundcube\lib\Autoloader`. This is achieved by throwing a security exception when deserialization is attempted, effectively preventing exploitation. **Related Code (Patch)** ```php // disable use of dangerous dependencies spl_autoload_register('roundcube\lib\Autoloader::class'); // (de)serialize via \Roundcube\lib\Autoloader is forbidden for security reasons. throw new \Exception('Serialization is forbidden for security reasons.'); ```