8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-23209

GHSA ID

GHSA-x684-96hh-833x

EPSS Score

0.88229%

CWE

CWE-94

Published

1/21/2025

Updated

1/21/2025

KEV Status

Yes

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-23209

CVE-2025-23209: Craft CMS has a potential RCE with a compromised security key

Impact

This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.

https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret

Anyone running an unpatched version of Craft with a compromised security key is affected.

Patches

This has been patched in Craft 5.5.8 and 4.13.8.

Workarounds

If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue.

References

https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-23209

GHSA ID

GHSA-x684-96hh-833x

EPSS Score

0.88229%

CWE

CWE-94

Published

1/21/2025

Updated

1/21/2025

KEV Status

Yes

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
craftcms/cms	composer	>= 5.0.0-RC1, < 5.5.5	5.5.8
craftcms/cms	composer	>= 4.0.0-RC1, < 4.13.8	4.13.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation in the database restoration process. The commit diff shows added path validation using FileHelper::isWithin, indicating the original code accepted user-controlled 'dbBackupPath' without checks. With a compromised security key, attackers could forge signed requests to execute arbitrary code through malicious database restore operations. The CWE-94 classification and patch context confirm this is a code injection vector via uncontrolled path input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is is *n R** vuln*r**ility t**t *****ts *r**t * *n* * inst*lls w**r* your s**urity k*y **s *lr***y ***n *ompromis**. *ttps://*r**t*ms.*om/knowl****-**s*/s**urin*-*r**t#k**p-your-s**r*ts-s**r*t *nyon* runnin* *n unp*t**** v*rsion o* *r

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt `v*li**tion` in t** **t***s* r*stor*tion `pro**ss`. T** *ommit *i** s*ows ***** p*t* `v*li**tion` usin* `*il***lp*r::isWit*in`, in*i**tin* t** ori*in*l *o** ****pt** us*r-*ontroll** '*****kupP*t*' wit*out ***

8.1

Basic Information

Concerned about an active attack path?

CVE-2025-23209: Craft CMS has a potential RCE with a compromised security key

Impact

Patches

Workarounds

References

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI