The Sprig plugin for Craft CMS provides reactive Twig components and includes a feature called the Sprig Playground, which allows users to test and interact with Sprig components. In versions 2.0.0 through 2.15.1 and 3.0.0 through 3.15.1, the Sprig Playground could be accessed by admin users or users with explicit permission, even when it should have been restricted. This access allowed these users to retrieve sensitive information such as security keys, credentials, and other configuration data, as well as to invoke the hashData() signing function, which could potentially be abused. The root cause is that the Sprig Playground remained accessible when the Craft CMS devMode was enabled, exposing sensitive internal data. Starting with versions 2.15.2 and 3.15.2, the plugin disables access to the Sprig Playground by default when devMode is off, mitigating the risk. There is an option to override this behavior via the enablePlaygroundWhenDevModeDisabled setting, which defaults to false. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-489 (Leftover Debug Code), indicating that debug or development features were not properly disabled in production. The CVSS v3.1 base score is 5.5, reflecting a medium severity with network attack vector, low attack complexity, requiring high privileges but no user interaction, and impacting confidentiality significantly while integrity and availability are less affected. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is the unauthorized exposure of sensitive information such as security keys and credentials to users who have administrative or explicit Sprig Playground permissions. Although exploitation requires authenticated access with elevated privileges, the leakage of sensitive configuration data can facilitate further attacks, including privilege escalation, unauthorized access to backend systems, or compromise of cryptographic operations relying on the exposed keys. Organizations running affected versions in production environments with devMode enabled or with the Sprig Playground enabled risk unintended data exposure. This can lead to loss of confidentiality, potential data breaches, and erosion of trust. Since Craft CMS is widely used for content management, especially in web applications, the vulnerability could affect a broad range of organizations, including enterprises, government agencies, and service providers. The absence of known exploits reduces immediate risk, but the presence of leftover debug functionality in production environments is a significant security concern that must be addressed promptly.

Organizations should upgrade the Sprig plugin to version 2.15.2 or 3.15.2 or later, where the vulnerability is fixed by disabling the Sprig Playground when devMode is off by default. If upgrading immediately is not feasible, ensure that the Craft CMS devMode is disabled in all production environments to prevent access to the Sprig Playground. Additionally, verify that the enablePlaygroundWhenDevModeDisabled setting is set to false to avoid accidental re-enabling of the playground. Review user permissions carefully to restrict Sprig Playground access only to trusted administrators. Conduct audits of configuration files and logs to detect any unauthorized access or data exposure. Remove or disable any leftover debug or development features in production deployments. Implement monitoring to detect unusual access patterns to the Sprig Playground or related components. Finally, consider rotating any potentially exposed keys or credentials as a precautionary measure.