CVE-2025-23209

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

CVSS v3.0 8.1 HIGH

8.1^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret	Product
https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::

History

21 Feb 2025, 14:48

Type	Values Removed	Values Added
CPE		cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:::::: cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1
First Time		Craftcms craft Cms Craftcms
References	~~() https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603 -~~	() https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603 - Patch
References	~~() https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret -~~	() https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret - Product
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x - Vendor Advisory

18 Jan 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-18 01:15

Updated : 2025-02-21 14:48

NVD link : CVE-2025-23209

Mitre link : CVE-2025-23209

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

8.1 /10