A significant security flaw in the Craft content management system (CMS) has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
The vulnerability, identified as CVE-2025-23209 (with a CVSS score of 8.1), affects Craft CMS versions 4 and 5. It was addressed by the project maintainers in late December 2024 with the release of versions 4.13.8 and 5.5.8.
According to the agency, “Craft CMS contains a code injection vulnerability that allows for remote code execution as vulnerable versions have compromised user security keys.”
The vulnerability affects the following software versions:
- >= 5.0.0-RC1, < 5.5.5
- >= 4.0.0-RC1, < 4.13.8
According to a GitHub advisory released by Craft CMS, all unpatched versions of Craft with a compromised security key are impacted by the security defect.
Craft CMS noted that “if you can’t update to a patched version, then rotating your security key and ensuring its privacy will help to mitigate the issue.”
At present, the circumstances surrounding the compromise of user security keys are unclear. To mitigate the risk posed by the vulnerability, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary fixes by March 13, 2025.
