First published: Sat Jan 18 2025(Updated: )
### Impact This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret Anyone running an unpatched version of Craft with a compromised security key is affected. ### Patches This has been patched in Craft 5.5.8 and 4.13.8. ### Workarounds If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue. ### References https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/craftcms/cms | >=4.0.0-RC1<4.13.8 | 4.13.8 |
composer/craftcms/cms | >=5.0.0-RC1<5.5.5 | 5.5.8 |
Craft CMS | <5.5.8<4.13.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-23209 is rated as a critical remote code execution vulnerability affecting Craft CMS installations.
To fix CVE-2025-23209, upgrade your Craft CMS installation to version 4.13.8 or 5.5.8 or later.
CVE-2025-23209 affects users of Craft CMS 4.x and 5.x with a compromised security key.
Exploitation of CVE-2025-23209 could allow an attacker to execute arbitrary code on the affected server.
To mitigate CVE-2025-23209, ensure your security keys are not compromised and upgrade to the patched versions.