CVE-2025-23209

Published: Jan 18, 2025Modified: Oct 24, 2025CISA KEV

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

Affected (8)

Products: Craftcms: Craft Cms

Craftcms

1 product

Craft Cms

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Craftcms Craft Cms	After 4.0.0 to 4.13.8
Craftcms Craft Cms	After 5.0.0 to 5.5.8
Craftcms Craft Cms	Version 4.0.0
Craftcms Craft Cms	Version 4.0.0 rc1
Craftcms Craft Cms	Version 4.0.0 rc2
Craftcms Craft Cms	Version 4.0.0 rc3
Craftcms Craft Cms	Version 5.0.0
Craftcms Craft Cms	Version 5.0.0 rc1

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret

Source: security-advisories@github.com

Product

https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603

Source: security-advisories@github.com

Patch

https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x

Source: security-advisories@github.com

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline (19)

10/24/2025

1 change

Modified Analysis - Reference Type

01:59 PM

- -
+ CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209 Types: US Government Resource

10/21/2025

3 changes

CVE Modified - Reference

11:16 PM

- -
+ https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209

CVE Modified - Reference

08:20 PM

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209
+ -

CVE Modified - Reference

07:21 PM

- -
+ https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209

2/21/2025

9 changes

Initial Analysis - Reference Type

02:48 PM

- https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x No Types Assigned
+ https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x Vendor Advisory

Initial Analysis - Reference Type

02:48 PM

- https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603 No Types Assigned
+ https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603 Patch

Initial Analysis - Reference Type

02:48 PM

- https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret No Types Assigned
+ https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret Product

Initial Analysis - CPE Configuration

02:48 PM

- -
+ OR
     *cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
     *cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
     *cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* versions from (excluding) 4.0.0 up to (excluding) 4.13.8
     *cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
     *cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* versions from (excluding) 5.0.0 up to (excluding) 5.5.8

Initial Analysis - CVSS V3.1

02:48 PM

- -
+ NIST AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE CISA KEV Update - Vulnerability Name

02:00 AM

- -
+ Craft CMS Code Injection Vulnerability

CVE CISA KEV Update - Required Action

02:00 AM

- -
+ Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE CISA KEV Update - Due Date

02:00 AM

- -
+ 2025-03-13

CVE CISA KEV Update - Date Added

02:00 AM

- -
+ 2025-02-20

1/18/2025

6 changes

New CVE Received - Reference

01:15 AM

- -
+ https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x

New CVE Received - Reference

01:15 AM

- -
+ https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603

New CVE Received - Reference

01:15 AM

- -
+ https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret

New CVE Received - CWE

01:15 AM

- -
+ CWE-94

New CVE Received - CVSS V3.1

01:15 AM

- -
+ AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

New CVE Received - Description

01:15 AM

- -
+ Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.