CVE-2025-35939 is a vulnerability classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) affecting Craft CMS. The core issue arises because Craft CMS stores arbitrary content provided by unauthenticated users in session files without proper sanitization. Specifically, when unauthenticated clients request pages requiring authentication, Craft CMS redirects them to a login page and creates a session file named 'sess_[session_value]' in the server's session directory ('/var/lib/php/sessions'). The session value is sent to the client via a 'Set-Cookie' header. The vulnerability stems from the fact that the return URL parameter, which is stored in the session file, is not sanitized. This allows an attacker to inject arbitrary data, including potentially malicious PHP code, into a known local file on the server. While the vulnerability itself does not directly enable code execution, it sets the stage for exploitation if combined with an independent vulnerability that allows execution of the injected code. The vulnerability affects Craft CMS versions before 5.7.5 and 4.15.3, which have addressed the issue by sanitizing inputs and securing session handling. The CVSS 3.1 base score is 5.3 (medium), reflecting the lack of confidentiality impact but the presence of integrity risk and ease of remote exploitation without authentication or user interaction. No known exploits are currently reported in the wild. The vulnerability highlights the risk of trusting user-controlled parameters in session management and the importance of input validation and secure session file handling.

For European organizations using Craft CMS, this vulnerability poses a moderate risk primarily to the integrity of web applications. Attackers can inject arbitrary content into session files, potentially leading to code execution if chained with other vulnerabilities. This could result in unauthorized modification of website behavior, defacement, or further compromise of backend systems. Although there is no direct confidentiality or availability impact, the integrity compromise can undermine trust in affected websites and lead to reputational damage. Organizations relying on Craft CMS for critical web services or e-commerce may face business disruption and customer trust issues if exploited. The vulnerability’s ease of exploitation without authentication increases risk, especially for public-facing web servers. Given the widespread use of PHP-based CMS platforms in Europe, the threat is relevant to many small and medium enterprises as well as larger organizations. Prompt patching is essential to mitigate potential exploitation and prevent attackers from leveraging this vulnerability in multi-stage attacks.

European organizations should immediately upgrade Craft CMS installations to versions 5.7.5 or 4.15.3 or later, where the vulnerability is fixed. In addition to patching, organizations should audit session management configurations to ensure session files are stored securely with appropriate permissions to prevent unauthorized access or modification. Implement strict input validation and sanitization for all user-controllable parameters, especially those stored in sessions or used in file paths. Employ web application firewalls (WAFs) to detect and block suspicious requests attempting to inject malicious parameters. Monitor server logs for unusual session file modifications or unexpected 'Set-Cookie' header values. Conduct regular security assessments and penetration tests focusing on session handling and parameter injection vectors. Where possible, isolate session storage from web root directories to reduce risk of code execution. Educate developers on secure coding practices related to session management and parameter handling to prevent similar vulnerabilities in the future.