The vulnerability identified as CVE-2025-60868 affects the Alt Redirect 1.6.3 addon for the Statamic content management system. This addon includes a feature called "Query String Strip" intended to sanitize and remove query string parameters from URLs to prevent malicious manipulation. However, the addon fails to consistently strip parameters when faced with case variations (e.g., uppercase vs lowercase keys), encoded keys (URL-encoded characters), and duplicate parameters. This inconsistency allows attackers to bypass the sanitization process, meaning malicious or unwanted parameters can persist in URLs. The consequences include cache poisoning, where attackers can manipulate cached content served to users; parameter pollution, which can alter application logic or cause unexpected behavior; and denial of service, potentially by overwhelming the system with malformed requests. The vulnerability does not have an assigned CVSS score and no known exploits have been reported yet. The lack of patch links suggests a fix may not be publicly available at the time of publication. The vulnerability impacts the confidentiality, integrity, and availability of affected systems by undermining input validation and caching security. Exploitation does not require authentication or user interaction, increasing the risk. The affected versions are not explicitly listed beyond the 1.6.3 addon version, but users of this specific addon version are at risk. The vulnerability is particularly relevant for organizations relying on Statamic for web content delivery and caching.

For European organizations, this vulnerability poses significant risks to web infrastructure integrity and availability. Cache poisoning can lead to the delivery of malicious or stale content to users, damaging trust and potentially exposing users to further attacks. Parameter pollution may allow attackers to manipulate application behavior, potentially bypassing security controls or causing data integrity issues. Denial of service attacks could disrupt access to critical web services, impacting business continuity. Organizations with public-facing websites using Statamic and the vulnerable addon are particularly at risk. The impact extends to sectors reliant on web presence and content delivery, including e-commerce, media, and government services. Given the lack of authentication or user interaction requirements, attackers can exploit this vulnerability remotely and at scale. The absence of a patch increases the urgency for interim mitigations. Failure to address this vulnerability could result in reputational damage, regulatory scrutiny under GDPR if user data is impacted, and operational disruptions.

European organizations should immediately audit their use of the Alt Redirect addon within Statamic environments to identify if version 1.6.3 or similar vulnerable versions are deployed. Until a patch is available, implement strict input validation and normalization at the web application firewall (WAF) or reverse proxy level to detect and block query strings with case variations, encoded keys, or duplicate parameters that could bypass sanitization. Employ caching mechanisms that validate cache keys rigorously to prevent poisoning. Monitor web server and application logs for unusual query string patterns or repeated malformed requests indicative of exploitation attempts. Engage with Statamic or addon maintainers to obtain updates or patches as soon as they are released. Consider temporarily disabling the "Query String Strip" feature if it cannot be secured, or replace the addon with alternative solutions that properly sanitize query parameters. Conduct penetration testing focusing on query string manipulation to verify the effectiveness of mitigations. Maintain incident response readiness to quickly address any exploitation attempts. Document all mitigation steps and communicate risks to relevant stakeholders.