GHSA-2vcf-qxv3-2mgw

Source

https://github.com/advisories/GHSA-2vcf-qxv3-2mgw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-2vcf-qxv3-2mgw/GHSA-2vcf-qxv3-2mgw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2vcf-qxv3-2mgw

Aliases

CVE-2025-54417

Published

2025-08-08T19:32:50Z

Modified

2025-08-11T14:33:27.150148Z

Severity

5.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Craft CMS has a theoretical bypass for CVE-2025-23209

Details

Pre-requisites:

Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret)
Somehow, manage to create an arbitrary file in Craft’s /storage/backups folder.

With those two pieces in place, you could create a specific, malicious request to the /updater/restore-db endpoint to execute CLI commands remotely.

Fixed in https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57

Reported by Marco O. (segfault)

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2025-08-08T19:32:50Z",
    "nvd_published_at": "2025-08-09T02:15:37Z",
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.13.8

Fixed

4.16.3

Affected versions

4.*

4.13.8

4.13.9

4.13.10

4.14.0

4.14.0.1

4.14.0.2

4.14.1

4.14.2

4.14.3

4.14.4

4.14.5

4.14.6

4.14.7

4.14.8

4.14.8.1

4.14.9

4.14.10

4.14.11

4.14.11.1

4.14.12

4.14.13

4.14.14

4.14.15

4.15.0-beta.1

4.15.0-beta.2

4.15.0

4.15.0.1

4.15.0.2

4.15.1

4.15.2

4.15.3

4.15.4

4.15.5

4.15.6

4.15.6.1

4.15.6.2

4.15.7

4.16.0

4.16.1

4.16.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-2vcf-qxv3-2mgw/GHSA-2vcf-qxv3-2mgw.json"

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.8

Fixed

5.8.4

Affected versions

5.*

5.5.8

5.5.9

5.5.10

5.6.0

5.6.0.1

5.6.0.2

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.5.1

5.6.6

5.6.7

5.6.8

5.6.9

5.6.9.1

5.6.10

5.6.10.1

5.6.10.2

5.6.11

5.6.12

5.6.13

5.6.14

5.6.15

5.6.16

5.6.17

5.7.0-beta.1

5.7.0-beta.2

5.7.0

5.7.1

5.7.1.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.8.1

5.7.8.2

5.7.9

5.7.10

5.7.11

5.8.0

5.8.1

5.8.2

5.8.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-2vcf-qxv3-2mgw/GHSA-2vcf-qxv3-2mgw.json"