CVE-2025-0502
Published: 15 January 2025
Description
Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.
Security Summary
CVE-2025-0502 is a Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in the CrafterCMS Engine, enabling Directory Indexing and Resource Leak Exposure. It affects CrafterCMS versions from 4.0.0 prior to 4.0.8 and from 4.1.0 prior to 4.1.6, across Linux, macOS, x86, Windows, 64-bit, and ARM platforms. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and maps to CWE-402.
Remote unauthenticated attackers can exploit this vulnerability with low attack complexity and no user interaction. Exploitation grants access to private resources via directory indexing and leaks, leading to high-impact confidentiality loss through exposure of sensitive data and high-impact availability disruption.
The official CrafterCMS security advisory provides mitigation guidance at https://craftercms.com/docs/current/security/advisory.html#cv-2025011501. Affected systems should be upgraded to CrafterCMS 4.0.8 or later, or 4.1.6 or later, to address the issue.
Details
- CWE(s)