CVE-2025-23209

Warnung

EPSS 4.13%
Veröffentlicht 18.01.2025 01:15:07
Zuletzt bearbeitet 24.10.2025 13:59:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Potential RCE with a compromised security key in craft/cms

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 7

NVD 8 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Craftcms ≫ Craft Cms Version > 4.0.0 < 4.13.8

Craftcms ≫ Craft Cms Version > 5.0.0 < 5.5.8

Craftcms ≫ Craft Cms Version4.0.0 Update-

Craftcms ≫ Craft Cms Version4.0.0 Updaterc1

Craftcms ≫ Craft Cms Version4.0.0 Updaterc2

Craftcms ≫ Craft Cms Version4.0.0 Updaterc3

Craftcms ≫ Craft Cms Version5.0.0 Update-

Craftcms ≫ Craft Cms Version5.0.0 Updaterc1

20.02.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Craft CMS Code Injection Vulnerability

Schwachstelle

Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	4.13%	0.895

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8	1.3	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret

Product

https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603

Patch

https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2025-23209

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-23209

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-23209

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-23209

20.02.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog