CVE-2025-35939 is a medium severity vulnerability affecting Craft CMS, a popular content management system. The vulnerability arises because Craft CMS stores arbitrary content provided by unauthenticated users in session files located on the server, specifically under '/var/lib/php/sessions'. These session files are named using a predictable pattern 'sess_[session_value]', where the session value is provided to the client in a 'Set-Cookie' header. The core issue is that Craft CMS stores the return URL requested by the client without properly sanitizing parameters. This allows an unauthenticated attacker to inject arbitrary values, potentially including PHP code, into a known local file location on the server. Although the vulnerability itself does not directly allow code execution, it creates a scenario where an attacker could leverage an independent vulnerability or misconfiguration to execute the injected code. The vulnerability is classified under CWE-472, which involves external control of an assumed-immutable web parameter, indicating that the application trusts user input that should be immutable or controlled internally. Craft CMS versions prior to 5.7.5 and 4.15.3 are affected, with patches released in these versions to address the issue. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No known exploits are currently reported in the wild.

For European organizations using Craft CMS, this vulnerability poses a risk primarily to the integrity of their web applications. An attacker could inject malicious content into session files, which might be executed if combined with other vulnerabilities or server misconfigurations, potentially leading to unauthorized code execution or manipulation of application behavior. This could result in defacement, data tampering, or further compromise of the web server. Since Craft CMS is used by various businesses, including media, e-commerce, and government websites, exploitation could disrupt services or damage reputation. The vulnerability does not directly affect confidentiality or availability but could be a stepping stone for more severe attacks. European organizations with public-facing Craft CMS installations are particularly at risk, especially if they have not applied the patches. The medium severity suggests that while exploitation is feasible without authentication, it requires some conditions to be met, limiting the immediate widespread impact but still necessitating prompt remediation.

European organizations should immediately upgrade Craft CMS to versions 5.7.5 or 4.15.3 or later, where the vulnerability has been addressed. In addition to patching, organizations should implement strict input validation and sanitization for all user-supplied parameters, especially those stored in session files or used in file paths. Web application firewalls (WAFs) can be configured to detect and block suspicious payloads targeting session management endpoints. Regularly audit session storage directories to detect anomalous files or unexpected content. Employ least privilege principles for the web server process to restrict its ability to execute or include session files as code. Monitoring and logging access to session files can help detect exploitation attempts. Finally, conduct security assessments to identify any chained vulnerabilities that could be exploited in conjunction with this issue to achieve code execution.