CVE-2025-35939

Warning

Media report

EPSS 33.05%
Published 07.05.2025 22:41:29
Last modified 03.06.2025 20:59:34
Source 9119a7d8-5eab-497f-8521-727c67
Teams watchlist Login
Open Login

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.

Affected products Warnungen 1 Metrics 4 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Craftcms ≫ Craft Cms Version < 4.15.3

Craftcms ≫ Craft Cms Version >= 5.0.0 < 5.7.5

02.06.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

Vulnerability

Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.

Description

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	33.05%	0.968

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
9119a7d8-5eab-497f-8521-727c672e3725	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
9119a7d8-5eab-497f-8521-727c672e3725	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-472 External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

https://www.heise.de/news/Warnung-vor-Angriffen-auf-Connectwise-Craft-CMS-und-Asus-Router-10424978.html

Medienbericht

heise Security

https://github.com/craftcms/cms/pull/17220

Patch

https://github.com/craftcms/cms/releases/tag/4.15.3

Release Notes

https://github.com/craftcms/cms/releases/tag/5.7.5

Release Notes

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json

Third Party Advisory

https://www.cve.org/CVERecord?id=CVE-2025-35939

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2025-35939

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-35939

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-35939

EUVD