Skip to main content

CVE-2025-54417: CWE-94: Improper Control of Generation of Code ('Code Injection') in craftcms cms

Medium
VulnerabilityCVE-2025-54417cvecve-2025-54417cwe-94
Published: Sat Aug 09 2025 (08/09/2025, 01:31:23 UTC)
Source: CVE Database V5
Vendor/Project: craftcms
Product: cms

Description

Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.

AI-Powered Analysis

AILast updated: 08/17/2025, 01:08:54 UTC

Technical Analysis

CVE-2025-54417 is a medium-severity vulnerability affecting Craft CMS versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3. The vulnerability is classified under CWE-94, indicating improper control over code generation, specifically a code injection flaw. This vulnerability enables an attacker to bypass a previously known vulnerability (CVE-2025-23209) that allowed remote code execution (RCE) when the security key was compromised. To exploit CVE-2025-54417, an attacker must first have access to a compromised security key and be able to create an arbitrary file within the /storage/backups directory of the Craft CMS installation. With these conditions met, the attacker can send a crafted malicious request to the /updater/restore-db endpoint, which triggers execution of arbitrary CLI commands on the server. This effectively allows remote code execution, potentially leading to full system compromise. The vulnerability does not require user interaction but does require low-level privileges (PR:L) and has a high attack complexity (AC:H), meaning exploitation is not trivial but feasible under the stated conditions. The vulnerability impacts confidentiality, integrity, and availability as attackers can execute arbitrary commands, potentially exfiltrate data, modify content, or disrupt services. The issue has been fixed in versions 4.16.3 and 5.8.4 of Craft CMS. There are no known exploits in the wild at the time of publication, but the presence of a bypass to a prior RCE vulnerability increases the risk profile for systems with compromised keys that have not been updated.

Potential Impact

For European organizations using Craft CMS within the affected version ranges, this vulnerability poses a significant risk. Craft CMS is used by businesses and agencies to build and manage digital experiences, including websites and web applications. Exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over web servers, access sensitive data, modify website content, or disrupt services. This could result in data breaches involving personal data protected under GDPR, leading to regulatory fines and reputational damage. Additionally, attackers could use compromised servers as pivot points for further attacks within the organization's network. The requirement for a compromised security key means that organizations with weak key management or prior breaches are at higher risk. Since the vulnerability involves the /updater/restore-db endpoint, automated backup and restore processes could be exploited, potentially undermining disaster recovery mechanisms. The medium CVSS score reflects moderate ease of exploitation but significant potential impact, making timely patching critical to prevent escalation. Given the widespread use of Craft CMS in Europe, especially among SMEs and digital agencies, the threat is material and warrants immediate attention.

Mitigation Recommendations

1. Immediate upgrade of Craft CMS installations to versions 4.16.3 or 5.8.4 or later to apply the official patch addressing this vulnerability. 2. Conduct a thorough audit of security keys used in Craft CMS projects; regenerate and securely store keys to prevent compromise. 3. Restrict write permissions to the /storage/backups directory to trusted processes only, minimizing the ability of attackers to create arbitrary files. 4. Implement strict access controls and monitoring on the /updater/restore-db endpoint, including IP whitelisting and authentication where possible. 5. Monitor logs for suspicious activity related to backup file creation and restore endpoint access to detect potential exploitation attempts. 6. Employ web application firewalls (WAFs) with custom rules to detect and block malicious requests targeting the restore-db endpoint. 7. Regularly review and harden server and application configurations to reduce attack surface, including disabling unnecessary CLI command execution capabilities. 8. Educate development and operations teams about secure key management and the risks of code injection vulnerabilities. 9. Establish incident response procedures to quickly isolate and remediate compromised systems if exploitation is suspected.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-21T23:18:10.281Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6896a8c3ad5a09ad00085a76

Added to database: 8/9/2025, 1:47:47 AM

Last enriched: 8/17/2025, 1:08:54 AM

Last updated: 8/18/2025, 1:22:21 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats