Craft CMS, Remote Code Execution, GHSA-f3gw-9ww9-jmc3 (Critical)

Listen to this Post

The vulnerability arises from a flaw in Craft CMS’s input handling that allows an unauthenticated attacker to trigger arbitrary PHP code execution. It affects all versions from 3.0.0-RC1 up to (but not including) 3.9.15, 4.0.0-RC1 up to 4.14.14, and 5.0.0-RC1 up to 5.6.16. The issue is an additional hardening for CVE-2023-41892, which was a deserialization‑based RCE in the `__toString()` method of certain objects.
The new bypass exploits improper sanitization in the way Craft processes specially crafted HTTP requests. By sending a maliciously formed request containing a serialized payload or a crafted query parameter, an attacker can force the application to deserialize untrusted data. Because the CMS uses PHP’s `unserialize` on user‑controlled input in a vulnerable code path (such as in the `\craft\web\Request` class or the parameter parser), an attacker can inject a gadget chain that leads to execution of arbitrary PHP functions.
The attack is low‑complexity—no authentication is required, and the payload can be delivered via a simple GET or POST request. Successful exploitation grants full remote code execution with the privileges of the web server user, enabling the attacker to take over the site, read sensitive files, or pivot to internal networks.
The patch (commits e1c85441fa47eeb7c688c2053f25419bc0547b47 and associated backports) replaces unsafe `unserialize` calls with safe deserialization methods and adds stricter validation of input parameters across the framework.

dailycve form

Platform: Craft CMS
Version: 3.0.0‑RC1‑3.9.14,
Vulnerability : Remote Code Execution
Severity: CRITICAL (CVSS 10.0)
date: 2025-04-10

Prediction: Already Patched (2025-04-10)

Analytics

What Undercode Say:

Check installed Craft version (in project root)
php craft info | grep version
Identify vulnerable endpoints with curl (example)
curl -k "https://target.com/index.php?p=admin/actions/...&_craft_serialized=O:8:"Gadget":1:{...}"
Grep for unsafe unserialize in custom modules
grep -r "unserialize" craft/ vendor/craftcms/cms/ --include=".php"

how Exploit:

  1. Craft a serialized PHP object that chains exploitable classes (e.g., `\craft\elements\Asset` or \yii\rbac\PhpManager).
  2. Inject the payload into a request parameter that Craft unsafely deserializes, such as the `_craft` parameter, X-Forwarded-For, or a custom field.
  3. Send the request to any unauthenticated endpoint (e.g., /index.php?p=admin/actions/...).
  4. The gadget chain executes arbitrary PHP code, granting a shell or webshell.

Protection from this CVE

  • Immediately update to Craft CMS 3.9.15, 4.14.15, 5.6.17 or later.
  • If patching is delayed, block suspicious requests containing `O:` (object) patterns in query parameters via WAF.
  • Disable PHP’s `unserialize` for untrusted input by setting `allowed_classes=false` where possible.
  • Regularly audit custom plugins for unsafe deserialization calls.

Impact

  • Full remote code execution without authentication.
  • Complete compromise of the CMS instance, including database access, file manipulation, and lateral movement.
  • Data breach, defacement, or use of the server as a pivot for further attacks.
  • CVSS 10.0 (Critical) – highest severity rating.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top