Potential RCE with a compromised security key in craft/cms
Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.5.8 | 5.5.8 |
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.13.8 | 4.13.8 |
Affected products
1Patches
1e59e22b30c9dFixed an RCE vulnerability
2 files changed · +8 −1
CHANGELOG.md+1 −0 modified@@ -4,6 +4,7 @@ - Fixed a bug where asset edit page URLs contained spaces if the asset filename contained spaces. ([#15236](https://github.com/craftcms/cms/issues/15236)) - Fixed a bug where custom fields were getting included in rendered field layout forms, even if their `getInputHtml()` method returned an empty string. +- Fixed an RCE vulnerability. ## 4.13.7 - 2024-12-17
src/controllers/UpdaterController.php+7 −1 modified@@ -12,6 +12,7 @@ use Composer\Semver\VersionParser; use Craft; use craft\errors\InvalidPluginException; +use craft\helpers\FileHelper; use RequirementsChecker; use Throwable; use yii\web\BadRequestHttpException; @@ -99,8 +100,13 @@ public function actionBackup(): Response */ public function actionRestoreDb(): Response { + $backupPath = $this->data['dbBackupPath']; + if (!file_exists($backupPath) || !FileHelper::isWithin($backupPath, Craft::$app->getPath()->getDbBackupPath())) { + throw new BadRequestHttpException("Invalid backup path: $backupPath"); + } + try { - Craft::$app->getDb()->restore($this->data['dbBackupPath']); + Craft::$app->getDb()->restore($backupPath); } catch (Throwable $e) { Craft::error('Error restoring up the database: ' . $e->getMessage(), __METHOD__); return $this->send([
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-x684-96hh-833xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-23209ghsaADVISORY
- craftcms.com/knowledge-base/securing-craftghsax_refsource_MISCWEB
- github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833xghsax_refsource_CONFIRMWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
News mentions
0No linked articles in our index yet.