GHSA-x684-96hh-833x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x684-96hh-833x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-x684-96hh-833x/GHSA-x684-96hh-833x.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-x684-96hh-833x
- Aliases
- Published
- 2025-01-21T19:48:38Z
- Modified
- 2025-01-21T20:09:39.347981Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Craft CMS has a potential RCE with a compromised security key
- Details
-
Impact
This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.
https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
Anyone running an unpatched version of Craft with a compromised security key is affected.
Patches
This has been patched in Craft 5.5.8 and 4.13.8.
Workarounds
If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue.
References
https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
- Database specific
{ "nvd_published_at": "2025-01-18T01:15:07Z", "cwe_ids": [ "CWE-94" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-01-21T19:48:38Z" }- References
-
- https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
- https://nvd.nist.gov/vuln/detail/CVE-2025-23209
- https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
- https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
- https://github.com/craftcms/cms
Affected packages
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
5.*
5.0.0-RC1
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.2.0-beta.1
5.2.0-beta.2
5.2.0-beta.3
5.2.0-beta.4
5.2.0-beta.5
5.2.0-beta.6
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.4.1
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.3.0-beta.1
5.3.0-beta.2
5.3.0
5.3.0.1
5.3.0.2
5.3.0.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.4.0
5.4.0.1
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.4.10
5.4.10.1
5.5.0
5.5.0.1
5.5.1
5.5.1.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.6.1
5.5.7
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
4.*
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.3.10
4.3.11
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.6.1
4.4.7
4.4.7.1
4.4.8
4.4.9
4.4.10
4.4.10.1
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.16.1
4.4.17
4.5.0-beta.1
4.5.0-beta.2
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.6.1
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.11.1
4.5.12
4.5.13
4.5.14
4.5.15
4.6.0-RC1
4.6.0
4.6.1
4.7.0
4.7.1
4.7.2
4.7.2.1
4.7.3
4.7.4
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
4.8.10
4.8.11
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
4.10.0-beta.1
4.10.0-beta.2
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.11.0
4.11.0.1
4.11.0.2
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.4.1
4.12.5
4.12.6
4.12.6.1
4.12.7
4.12.8
4.12.9
4.13.0
4.13.1
4.13.1.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7