CVE-2025-23209
Published: 18 January 2025
Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
Security Summary
CVE-2025-23209 is a remote code execution (RCE) vulnerability classified under CWE-94 that affects Craft CMS versions 4 and 5, specifically installations where the security key has already been compromised. Craft is a flexible, user-friendly content management system used for creating custom digital experiences on the web and beyond. Systems running unpatched versions of Craft 4 or 5 with a compromised security key are vulnerable.
Exploitation requires network access, high attack complexity, low privileges (PR:L), and user interaction (UI:R), resulting in a CVSS v3.1 base score of 8.0 with changed scope and high impacts to confidentiality, integrity, and availability. An attacker with access to a compromised security key can leverage this flaw to execute arbitrary code on affected installations.
Craft has addressed the vulnerability in versions 5.5.8 and 4.13.8. Users unable to patch should rotate their security keys and ensure their privacy to mitigate risk, as detailed in Craft's knowledge base on securing secrets, the GitHub security advisory GHSA-x684-96hh-833x, and the associated patch commit.
The vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, suggesting active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 20 February 2025