CVE-2025-23209
Potential RCE with a compromised security key in craft/cms
In short
Craft CMS can execute malicious code if someone obtains your security key. If your security key is stolen, attackers can run arbitrary code on your server.
Technical detail
RCE vulnerability in Craft 4 and 5 exploitable when the security key is compromised; attackers can leverage insecure deserialization (CWE-94) to execute arbitrary code. Mitigation requires updating to Craft 5.5.8+ or 4.13.8+, or rotating security keys immediately.
Summary generated and translated by AI from the official description.
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Affected products
craftcms · cmsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secrethttps://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833xhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209