CVE-2025-25286
Published: 13 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25286 is a remote code execution vulnerability in the Homarus microservice, part of Crayfish, which provides FFmpeg functionality as one of several Islandora 8 microservices. The flaw affects web-accessible installations of Homarus prior to Crayfish version 4.1.0 in certain configurations, stemming from issues mapped to CWE-150 and CWE-157. It carries a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impacts on confidentiality, integrity, and availability.
Attackers require no privileges or user interaction and can exploit the vulnerability by sending crafted requests to Homarus's /convert endpoint. Successful exploitation enables remote code execution on the affected system, potentially allowing full compromise in exposed environments.
The vulnerability is patched in islandora/crayfish:4.1.0, as detailed in the project's GitHub commit and security advisory. Workarounds include restricting general Internet access to Homarus to reduce exploitability or configuring stronger authentication in Crayfish to reject requests with invalid Authorization headers before the problematic CLI interpolation occurs.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote code execution flaw in a publicly accessible web microservice (/convert endpoint) exploitable with no authentication or user interaction, directly enabling T1190: Exploit Public-Facing Application for initial access and arbitrary code execution.