CVE-2025-54417

Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::

History

02 Sep 2025, 19:23

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57 -~~	() https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57 - Patch
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw - Third Party Advisory
First Time		Craftcms Craftcms craft Cms
CPE		cpe:2.3:a:craftcms:craft_cms::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

11 Aug 2025, 18:32

Type	Values Removed	Values Added
Summary		(es) Craft es una plataforma para crear experiencias digitales. Las versiones 4.13.8 a 4.16.2 y 5.5.8 a 5.8.3 contienen una vulnerabilidad que puede eludir la CVE-2025-23209: "Craft CMS tiene un posible RCE con una clave de seguridad comprometida". Para explotar esta vulnerabilidad, el proyecto debe cumplir estos requisitos: tener una clave de seguridad comprometida y crear un archivo arbitrario en la carpeta /storage/backups de Craft. Con estos criterios, los atacantes podrían crear una solicitud maliciosa específica al endpoint /updater/restore-db y ejecutar comandos CLI de forma remota. Este problema se ha corregido en las versiones 4.16.3 y 5.8.4.

09 Aug 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-09 02:15

Updated : 2025-09-02 19:23

NVD link : CVE-2025-54417

Mitre link : CVE-2025-54417

CVE.ORG link : CVE-2025-54417

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

8.8 /10