ByteOS Network

CVE Vulnerability Details :

CVE-2025-54417

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-09 Aug, 2025 | 01:31

Updated At-11 Aug, 2025 | 13:38

▼CVE Numbering Authority (CNA)

Craft contains a theoretical bypass for CVE-2025-23209

Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.

Affected Products

Vendor

craftcms

Product

cms

Versions

Affected

>= 4.13.8, < 4.16.3
>= 5.5.8, < 5.8.4

Problem Types

Type	CWE ID	Description
CWE	CWE-94	CWE-94: Improper Control of Generation of Code ('Code Injection')

Metrics

Version	Base score	Base severity	Vector
4.0	5.2	MEDIUM	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References

Hyperlink	Resource
https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw	x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57	x_refsource_MISC

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References