Remote Code Execution Vulnerability in Craft CMS by Pixel & Tonic
CVE-2025-57811
What is CVE-2025-57811?
CVE-2025-57811 is a critical vulnerability affecting Craft CMS, a content management system developed by Pixel & Tonic that allows users to build custom digital experiences. The vulnerability arises from a flaw in the server-side template injection (SSTI) mechanism, specifically within the Twig templating engine used by Craft CMS. This vulnerability is present in versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, allowing attackers to craft malicious inputs that can execute arbitrary code on the server. The potential repercussions of exploiting this vulnerability are severe, as it could enable attackers to gain unauthorized access to sensitive data, manipulate site functionality, and compromise system integrity, which can be devastating for organizations relying on Craft CMS for their operations.
Potential impact of CVE-2025-57811
-
Remote Code Execution: The vulnerability allows attackers to execute arbitrary code remotely, which could lead to full system compromise. This means that threat actors could gain elevated privileges on the server, potentially enabling them to install malware, steal sensitive information, and manipulate digital content.
-
Data Breach Risks: Organizations utilizing Craft CMS could face significant risks of data breaches if exploited. Sensitive user information, including credentials and personal data, could be accessed or exfiltrated, resulting in compliance violations and loss of customer trust.
-
Web Application Manipulation: By exploiting the vulnerability, attackers could alter the functionality of the web application built on Craft CMS. This could disrupt services, inject malicious content, or redirect users, leading to reputational damage and financial losses for affected organizations.
Affected Version(s)
cms >= 4.0.0-RC1, < 4.16.6 < 4.0.0-RC1, 4.16.6
cms >= 5.0.0-RC1, < 5.8.7 < 5.0.0-RC1, 5.8.7