Arbitrary File Write Vulnerability in Craft CMS by Pixel & Tonic
CVE-2025-35939

6.9MEDIUM

Key Information:

Vendor

Craft

Status
Vendor
CVE Published:
7 May 2025

Badges

๐Ÿ‘พ Exploit Exists๐Ÿฆ… CISA Reported

What is CVE-2025-35939?

Craft CMS is vulnerable to an arbitrary file write issue where unauthenticated users can store unvalidated content in session files on the server. This flaw allows attackers to potentially introduce malicious code via crafted session values. The redirection of authentication-required requests to the login page facilitates the exploitation of this vulnerability, as the system saves dangerous content without proper sanitization. The issue has been addressed in the latest updates for affected versions.

CISA has reported CVE-2025-35939

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-35939 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

CMS 0 < 5.7.5

CMS 0 < 4.15.3

CMS 5.7.5

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿฆ…

    CISA Reported

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joel Land, undefined
.