CVE-2025-54417
- Source
- https://cve.org/CVERecord?id=CVE-2025-54417
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54417.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-54417
- Aliases
- Published
- 2025-08-09T01:31:23.974Z
- Modified
- 2026-04-10T05:29:33.598011Z
- Severity
-
- 5.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Craft contains a theoretical bypass for CVE-2025-23209
- Details
-
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54417.json", "cwe_ids": [ "CWE-94" ] }- References
Affected packages
Git / github.com/craftcms/cms
Affected ranges
Affected versions
4.*
4.13.10
4.13.8
4.13.9
4.14.0
4.14.0.1
4.14.0.2
4.14.1
4.14.10
4.14.11
4.14.11.1
4.14.12
4.14.13
4.14.14
4.14.15
4.14.2
4.14.3
4.14.4
4.14.5
4.14.6
4.14.7
4.14.8
4.14.8.1
4.14.9
4.15.0
4.15.0.1
4.15.0.2
4.15.1
4.15.2
4.15.3
4.15.4
4.15.5
4.15.6
4.15.6.1
4.15.6.2
4.15.7
4.16.0
4.16.1
4.16.2