{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23209", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-13T17:15:41.051Z", "datePublished": "2025-01-18T00:32:54.954Z", "dateUpdated": "2025-10-21T22:55:31.434Z"}, "containers": {"cna": {"title": "Potential RCE with a compromised security key in craft/cms", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x"}, {"name": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603"}, {"name": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret", "tags": ["x_refsource_MISC"], "url": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, < 5.5.5", "status": "affected"}, {"version": ">= 4.0.0-RC1, < 4.13.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-18T00:32:54.954Z"}, "descriptions": [{"lang": "en", "value": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue."}], "source": {"advisory": "GHSA-x684-96hh-833x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23209", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-21T04:56:13.643788Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-02-20", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209", "tags": ["government-resource"]}], "timeline": [{"time": "2025-02-20T00:00:00+00:00", "lang": "en", "value": "CVE-2025-23209 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T22:55:31.434Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23209", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-21T04:56:13.643788Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-02-20", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209"}}}], "timeline": [{"lang": "en", "time": "2025-02-20T00:00:00+00:00", "value": "CVE-2025-23209 added to CISA KEV"}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209", "tags": ["government-resource"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-22T14:20:45.432Z"}}], "cna": {"title": "Potential RCE with a compromised security key in craft/cms", "source": {"advisory": "GHSA-x684-96hh-833x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.0.0-RC1, < 5.5.5"}, {"status": "affected", "version": ">= 4.0.0-RC1, < 4.13.8"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603", "name": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603", "tags": ["x_refsource_MISC"]}, {"url": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret", "name": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-18T00:32:54.954Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23209", "state": "PUBLISHED", "dateUpdated": "2025-10-21T22:55:31.434Z", "dateReserved": "2025-01-13T17:15:41.051Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-18T00:32:54.954Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cisaActionDue": "2025-03-13", "cisaExploitAdd": "2025-02-20", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Craft CMS Code Injection Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A969ACE2-4C09-452A-B9BD-113CA9A4FF30", "versionEndExcluding": "4.13.8", "versionStartExcluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DBFB276-7508-492E-ACBA-A229E869A831", "versionEndExcluding": "5.5.8", "versionStartExcluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue."}, {"lang": "es", "value": "Craft es un CMS flexible y f\u00e1cil de usar para crear experiencias digitales personalizadas en la web y m\u00e1s all\u00e1. Esta es una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) que afecta a las instalaciones de Craft 4 y 5 en las que su clave de seguridad ya se ha visto comprometida. Cualquiera que ejecute una versi\u00f3n sin parches de Craft con una clave de seguridad comprometida se ve afectado. Esta vulnerabilidad se ha corregido en Craft 5.5.8 y 4.13.8. Los usuarios que no puedan actualizar a una versi\u00f3n parcheada deben rotar sus claves de seguridad y garantizar su privacidad para ayudar a mitigar el problema."}], "id": "CVE-2025-23209", "lastModified": "2025-10-24T13:59:53.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-18T01:15:07.633", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}