CVE-2024-56145: CWE-94: Improper Control of Generation of Code ('Code Injection') in craftcms cms
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.
AI Analysis
Technical Summary
CVE-2024-56145 is a critical remote code execution (RCE) vulnerability affecting multiple versions of the Craft CMS, a popular content management system used for building custom digital experiences. The vulnerability arises due to improper control of code generation, classified under CWE-94 (Improper Control of Generation of Code). Specifically, the issue manifests when the PHP configuration directive `register_argc_argv` is enabled in the php.ini file. This setting allows PHP scripts to access command-line arguments, which in this context can be exploited by an attacker to inject and execute arbitrary code remotely without any authentication or user interaction. The affected versions include Craft CMS versions from 3.0.0 up to but not including 3.9.14, versions from 4.0.0-RC1 up to but not including 4.13.2, and versions from 5.0.0-RC1 up to but not including 5.5.2. The vulnerability has a CVSS 4.0 base score of 9.3, indicating a critical severity level. The attack vector is network-based with low attack complexity, no privileges or user interaction required, and results in high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the potential for exploitation is significant given the nature of the vulnerability and the ease of exploitation. The recommended remediation is to upgrade Craft CMS to versions 3.9.14, 4.13.2, or 5.5.2, which contain the fix. For users unable to upgrade immediately, disabling the `register_argc_argv` directive in PHP configuration serves as a mitigating control to prevent exploitation. This vulnerability poses a severe risk as it could allow attackers to fully compromise affected web servers, leading to data breaches, defacement, or use of the compromised server as a pivot point for further attacks.
Potential Impact
For European organizations using Craft CMS, this vulnerability represents a critical threat to their web infrastructure. Successful exploitation could lead to complete system compromise, allowing attackers to execute arbitrary code remotely. This could result in unauthorized data access, data manipulation, service disruption, or deployment of malware such as ransomware. Given the widespread use of CMS platforms in Europe for government, healthcare, finance, and e-commerce sectors, the impact could be severe, including regulatory non-compliance (e.g., GDPR violations), financial losses, reputational damage, and operational downtime. The fact that no authentication or user interaction is required increases the risk of automated exploitation campaigns targeting vulnerable Craft CMS instances. Organizations with publicly accessible Craft CMS installations are particularly at risk. Additionally, the vulnerability could be leveraged to establish persistent backdoors or launch further attacks within corporate networks, amplifying the potential damage.
Mitigation Recommendations
1. Immediate upgrade of Craft CMS to the fixed versions: 3.9.14, 4.13.2, or 5.5.2. This is the most effective and recommended mitigation. 2. For organizations unable to upgrade promptly, disable the `register_argc_argv` directive in the PHP configuration (php.ini) to prevent the vulnerability from being exploitable. This can be done by setting `register_argc_argv = Off` and restarting the web server. 3. Conduct a thorough inventory of all Craft CMS instances within the organization to identify vulnerable versions. 4. Implement network-level protections such as web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting code injection vectors. 5. Monitor logs and network traffic for unusual activity indicative of exploitation attempts, including unexpected command-line argument usage or anomalous PHP execution patterns. 6. Employ strict access controls and segmentation to limit the exposure of CMS servers to the internet and internal networks. 7. Regularly back up CMS data and configurations to enable rapid recovery in case of compromise. 8. Educate development and operations teams about the risks associated with PHP configuration settings and the importance of timely patching.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Ireland
CVE-2024-56145: CWE-94: Improper Control of Generation of Code ('Code Injection') in craftcms cms
Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.
AI-Powered Analysis
Technical Analysis
CVE-2024-56145 is a critical remote code execution (RCE) vulnerability affecting multiple versions of the Craft CMS, a popular content management system used for building custom digital experiences. The vulnerability arises due to improper control of code generation, classified under CWE-94 (Improper Control of Generation of Code). Specifically, the issue manifests when the PHP configuration directive `register_argc_argv` is enabled in the php.ini file. This setting allows PHP scripts to access command-line arguments, which in this context can be exploited by an attacker to inject and execute arbitrary code remotely without any authentication or user interaction. The affected versions include Craft CMS versions from 3.0.0 up to but not including 3.9.14, versions from 4.0.0-RC1 up to but not including 4.13.2, and versions from 5.0.0-RC1 up to but not including 5.5.2. The vulnerability has a CVSS 4.0 base score of 9.3, indicating a critical severity level. The attack vector is network-based with low attack complexity, no privileges or user interaction required, and results in high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the potential for exploitation is significant given the nature of the vulnerability and the ease of exploitation. The recommended remediation is to upgrade Craft CMS to versions 3.9.14, 4.13.2, or 5.5.2, which contain the fix. For users unable to upgrade immediately, disabling the `register_argc_argv` directive in PHP configuration serves as a mitigating control to prevent exploitation. This vulnerability poses a severe risk as it could allow attackers to fully compromise affected web servers, leading to data breaches, defacement, or use of the compromised server as a pivot point for further attacks.
Potential Impact
For European organizations using Craft CMS, this vulnerability represents a critical threat to their web infrastructure. Successful exploitation could lead to complete system compromise, allowing attackers to execute arbitrary code remotely. This could result in unauthorized data access, data manipulation, service disruption, or deployment of malware such as ransomware. Given the widespread use of CMS platforms in Europe for government, healthcare, finance, and e-commerce sectors, the impact could be severe, including regulatory non-compliance (e.g., GDPR violations), financial losses, reputational damage, and operational downtime. The fact that no authentication or user interaction is required increases the risk of automated exploitation campaigns targeting vulnerable Craft CMS instances. Organizations with publicly accessible Craft CMS installations are particularly at risk. Additionally, the vulnerability could be leveraged to establish persistent backdoors or launch further attacks within corporate networks, amplifying the potential damage.
Mitigation Recommendations
1. Immediate upgrade of Craft CMS to the fixed versions: 3.9.14, 4.13.2, or 5.5.2. This is the most effective and recommended mitigation. 2. For organizations unable to upgrade promptly, disable the `register_argc_argv` directive in the PHP configuration (php.ini) to prevent the vulnerability from being exploitable. This can be done by setting `register_argc_argv = Off` and restarting the web server. 3. Conduct a thorough inventory of all Craft CMS instances within the organization to identify vulnerable versions. 4. Implement network-level protections such as web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting code injection vectors. 5. Monitor logs and network traffic for unusual activity indicative of exploitation attempts, including unexpected command-line argument usage or anomalous PHP execution patterns. 6. Employ strict access controls and segmentation to limit the exposure of CMS servers to the internet and internal networks. 7. Regularly back up CMS data and configurations to enable rapid recovery in case of compromise. 8. Educate development and operations teams about the risks associated with PHP configuration settings and the importance of timely patching.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2024-12-16T18:04:39.983Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6839b29a182aa0cae2b1bcf1
Added to database: 5/30/2025, 1:28:58 PM
Last enriched: 7/8/2025, 12:43:05 PM
Last updated: 7/26/2025, 11:15:42 AM
Views: 8
Related Threats
CVE-2025-8854: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in bulletphysics bullet3
HighCVE-2025-8830: OS Command Injection in Linksys RE6250
MediumCVE-2025-54878: CWE-122: Heap-based Buffer Overflow in nasa CryptoLib
HighCVE-2025-40920: CWE-340 Generation of Predictable Numbers or Identifiers in ETHER Catalyst::Authentication::Credential::HTTP
HighDetails emerge on WinRAR zero-day attacks that infected PCs with malware
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.