CVE-2025-23209

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret	Product
https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

21 Feb 2025, 14:48

Type	Values Removed	Values Added
First Time		Craftcms Craftcms craft Cms
CPE		cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::
References	~~() https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret -~~	() https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret - Product
References	~~() https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603 -~~	() https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603 - Patch
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x - Vendor Advisory

21 Feb 2025, 02:00

Type	Values Removed	Values Added
Summary		(es) Craft es un CMS flexible y fácil de usar para crear experiencias digitales personalizadas en la web y más allá. Esta es una vulnerabilidad de ejecución remota de código (RCE) que afecta a las instalaciones de Craft 4 y 5 en las que su clave de seguridad ya se ha visto comprometida. Cualquiera que ejecute una versión sin parches de Craft con una clave de seguridad comprometida se ve afectado. Esta vulnerabilidad se ha corregido en Craft 5.5.8 y 4.13.8. Los usuarios que no puedan actualizar a una versión parcheada deben rotar sus claves de seguridad y garantizar su privacidad para ayudar a mitigar el problema.

18 Jan 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-18 01:15

Updated : 2025-02-21 14:48

NVD link : CVE-2025-23209

Mitre link : CVE-2025-23209

CVE.ORG link : CVE-2025-23209

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

8.0 /10