CVE-2025-22204

Critical

Published: 04 February 2025

Published

04 February 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0433 89.0th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

Improper control of generation of code in the sourcerer extension for Joomla in versions before 11.0.0 lead to a remote code execution vulnerability.

Security Summary

CVE-2025-22204 is a remote code execution vulnerability stemming from improper control of code generation (CWE-94) in the Sourcerer extension for Joomla, affecting versions prior to 11.0.0. Published on 2025-02-04, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact compromise across confidentiality, integrity, and availability.

The vulnerability can be exploited by unauthenticated remote attackers with network access, requiring low complexity and no user interaction. Exploitation enables arbitrary code execution on the affected Joomla instance, granting attackers full control over the server hosting the extension.

Mitigation requires upgrading the Sourcerer extension to version 11.0.0 or later. Additional details are available from the vendor at https://regularlabs.com/sourcerer.

Details

CWE(s): CWE-94

Affected Products

regularlabs

sourcerer

≤ 11.0.0

References

https://regularlabs.com/sourcerer
Product · security@joomla.org