CVE-2025-23209 – craftcms/cms

Package

Manager: composer
Name: craftcms/cms
Vulnerable Version: >=5.0.0-rc1 <5.5.8 || >=4.0.0-rc1 <4.13.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03622 pctl0.87345

Details

Craft CMS has a potential RCE with a compromised security key ### Impact This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret Anyone running an unpatched version of Craft with a compromised security key is affected. ### Patches This has been patched in Craft 5.5.8 and 4.13.8. ### Workarounds If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue. ### References https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603

Metadata

Created: 2025-01-21T19:48:38Z
Modified: 2025-01-21T19:48:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-x684-96hh-833x/GHSA-x684-96hh-833x.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-x684-96hh-833x
Finding: F422
Auto approve: 1