N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-c2p2-hgjg-9r3f

EPSS Score

CWE

CWE-74

Published

2/12/2025

Updated

2/12/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-c2p2-hgjg-9r3f

GHSA-c2p2-hgjg-9r3f: Crayfish Allows Remote Code Execution via hypercube X-Islandora-Args Header

Impact

What kind of vulnerability is it? Who is impacted?

Remote code execution is possible in web-accessible installations of hypercube.

Patches

Has the problem been patched? What versions should users upgrade to?

Not yet, though no patch is neccessary if your installation of the microservices is behind a firewall. See below.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

The exploit requires making a request against Hypercube's endpoints; therefore, the ability to make use of the exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Hypercube. Furthermore, if you've used any of the official installation methods, your Crayfish will be behind a firewall and there is no work neccessary.

The webserver might be made to validate the structure of headers passed, but that would only be neccessary if you publicly exposed the endpoint. Standard security practices should be applied.

References

Are there any links users can visit to find out more?

XBOW-024-074

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-c2p2-hgjg-9r3f

EPSS Score

CWE

CWE-74

Published

2/12/2025

Updated

2/12/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
islandora/crayfish	composer	<= 4.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability involves RCE through the X-Islandora-Args header, which strongly suggests: 1) A controller handling HTTP requests 2) Direct use of header values in command execution 3) Lack of input sanitization. The HypercubeController would logically process hypercube endpoints and arguments. The CWEs indicate injection via improper neutralization, implying raw header values are used in system/exec calls. While exact code isn't available, the pattern matches common PHP command injection vulnerabilities where user-controlled headers are passed to shell commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ R*mot* *o** *x**ution is possi*l* in w**-****ssi*l* inst*ll*tions o* *yp*r*u**. ### P*t***s _**s t** pro*l*m ***n p*t****? W**t v*rsions s*oul* us*rs up*r*** to?_ Not y*t, t*ou** no

Reasoning

T** vuln*r**ility involv*s R** t*rou** t** X-Isl*n*or*-*r*s *****r, w*i** stron*ly su***sts: *) * *ontroll*r **n*lin* *TTP r*qu*sts *) *ir**t us* o* *****r v*lu*s in *omm*n* *x**ution *) L**k o* input s*nitiz*tion. T** `*yp*r*u***ontroll*r` woul* lo*

N/A

Basic Information

Concerned about an active attack path?

GHSA-c2p2-hgjg-9r3f: Crayfish Allows Remote Code Execution via hypercube X-Islandora-Args Header

Impact

Patches

Workarounds

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI