Описание
Craft CMS has a potential RCE with a compromised security key
Impact
This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.
https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
Anyone running an unpatched version of Craft with a compromised security key is affected.
Patches
This has been patched in Craft 5.5.8 and 4.13.8.
Workarounds
If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue.
References
https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
Ссылки
- https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
- https://nvd.nist.gov/vuln/detail/CVE-2025-23209
- https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
- https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209
Пакеты
craftcms/cms
>= 5.0.0-RC1, < 5.5.5
5.5.8
craftcms/cms
>= 4.0.0-RC1, < 4.13.8
4.13.8
Связанные уязвимости
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.