CVE-2025-35939 is a vulnerability classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) affecting Craft CMS. The core issue is that Craft CMS stores arbitrary content provided by unauthenticated users within session files located on the server at '/var/lib/php/sessions'. These session files are named 'sess_[session_value]', where the session value is assigned to the client via a 'Set-Cookie' header. When unauthenticated clients request pages requiring authentication, Craft CMS redirects them to the login page and generates a session file that includes the return URL requested by the client. However, this return URL parameter is not properly sanitized before being stored in the session file. As a result, an attacker can inject arbitrary data, including potentially executable PHP code, into a known local file on the server. While the vulnerability itself does not guarantee code execution, it creates a vector for further exploitation if combined with other vulnerabilities such as local file inclusion or code execution flaws. The vulnerability affects Craft CMS versions before 5.7.5 and 4.15.3, which have been released to remediate this issue. The CVSS 3.1 score of 5.3 indicates a medium severity with network attack vector, no privileges required, no user interaction, and an impact limited to integrity compromise without affecting confidentiality or availability.

This vulnerability can lead to integrity compromise of the web application environment by allowing attackers to inject arbitrary content into session files. If an attacker successfully injects malicious PHP code into these session files and another vulnerability or misconfiguration allows execution of this code, it could lead to remote code execution, unauthorized access, or persistent compromise of the affected system. The impact is particularly significant for organizations relying on Craft CMS for their web presence, as it could undermine the trustworthiness and security of their sites. Although no direct confidentiality or availability impact is indicated, the potential for chained exploitation elevates the risk. Organizations with publicly accessible Craft CMS installations are at risk, especially if they have not applied the patches. The vulnerability can be exploited remotely without authentication or user interaction, increasing the threat surface and ease of exploitation.

Organizations should immediately upgrade Craft CMS installations to version 5.7.5 or 4.15.3 or later, which contain fixes for this vulnerability. In addition to patching, administrators should audit session management configurations to ensure that session files are stored securely and that user input is properly sanitized before being written to any server-side files. Implementing strict input validation and output encoding for all parameters, especially those stored in sessions, is critical. Web application firewalls (WAFs) can be configured to detect and block suspicious payloads targeting session parameters. Monitoring server logs for unusual session file modifications or unexpected PHP code fragments can provide early detection of exploitation attempts. Restricting file permissions on session storage directories to prevent unauthorized modifications and isolating web application components can reduce the risk of chained exploits. Finally, organizations should conduct regular security assessments and penetration tests to identify and remediate similar injection vectors.