CVE-2025-23209
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
Analysis
Craft CMS 4 and 5 contain a remote code execution vulnerability exploitable when the application's security key has been compromised, allowing attackers with the key to execute arbitrary code on the server.
Technical Context
The CWE-94 code injection requires knowledge of the Craft CMS security key (used for signing cookies and tokens). With the key, attackers can craft signed payloads that the CMS trusts and processes, leading to PHP code execution.
Affected Products
['Craft CMS 4 (affected versions)', 'Craft CMS 5 (affected versions)']
Remediation
Update Craft CMS. Rotate the security key immediately. Ensure .env files are not publicly accessible. Check git repositories for accidentally committed secrets.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today