Miggo Logo
Miggo Vulnerability Database
CVE-2025-34086

CVE-2025-34086:
Bolt CMS vulnerable to authenticated remote code execution

7.5

CVSS Score
4.0

Basic Information

CVE ID
CVE-2025-34086
GHSA ID
GHSA-p9qc-8jjx-g8cg
EPSS Score
0.7246%
CWE
CWE-94
Published
7/3/2025
Updated
7/7/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
bolt/boltcomposer<= 3.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis of the vulnerability was based on the detailed description provided, the referenced exploit from Exploit-DB, and the Metasploit module. The core of the vulnerability is a lack of input sanitization in the user profile's displayname field, which is handled by Bolt\Controller\Backend\Users::save(). This allows for the initial code injection. The vulnerability is escalated by other weaknesses in the system, specifically the ability to list session files using Bolt\Controller\Async\Browse::browse() and the ability to rename and move these files into a web-accessible directory using Bolt\Controller\Async\FilesystemManager::rename(). This chain of vulnerabilities allows an authenticated user to achieve remote code execution. The identified functions are the key components that enable this attack.

Vulnerable functions

Bolt\Controller\Backend\Users::save
src/Controller/Backend/Users.php
This function processes user profile updates. It takes the `displayname` from the user input and saves it to the database. Because it does not sanitize the input, an attacker can inject PHP code into this field. This code is later rendered in a backend template and written to a session file, which is the first step in the exploit chain.
Bolt\Controller\Async\Browse::browse
src/Controller/Async/Browse.php
This function allows browsing of directories on the server. The exploit uses this to list files in the `cache/.sessions` directory, which contains session files. This information is then used to select a session file to rename.
Bolt\Controller\Async\FilesystemManager::rename
src/Controller/Async/FilesystemManager.php
This function is responsible for renaming files. The vulnerability is that it can be used to move a file from a non-web-accessible directory (`app/cache/.sessions`) to a web-accessible one (`public/files`) and change its extension to `.php`. This allows the attacker to create a web shell.

WAF Protection Rules

WAF Rule

*olt *MS v*rsions *.*.* *n* **rli*r *ont*in * ***in o* vuln*r**iliti*s t**t to**t**r *llow *n *ut**nti**t** us*r to ***i*v* r*mot* *o** *x**ution. * us*r wit* v*li* *r***nti*ls **n inj**t *r*itr*ry P*P *o** into t** *ispl*yn*m* *i*l* o* t** us*r pro*

Reasoning

T** *n*lysis o* t** vuln*r**ility w*s **s** on t** **t*il** **s*ription provi***, t** r***r*n*** *xploit *rom *xploit-**, *n* t** M*t*sploit mo*ul*. T** *or* o* t** vuln*r**ility is * l**k o* input s*nitiz*tion in t** us*r pro*il*'s `*ispl*yn*m*` *i*