CVE-2025-35939 in Craft
Summary
by MITRE • 05/08/2025
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/23/2025
This vulnerability in Craft CMS represents a critical server-side include or code execution risk that stems from improper input validation and session management practices. The flaw exists in how the CMS handles session files and redirect URLs, creating a pathway for unauthenticated attackers to inject and subsequently execute arbitrary code on the server. The vulnerability is particularly concerning because it leverages the standard PHP session handling mechanism where session data is persisted to disk in the `/var/lib/php/sessions` directory, making the attack surface directly tied to the underlying PHP configuration and file system permissions.
The technical exploitation mechanism relies on the application's failure to sanitize redirect URLs before storing them in session files. When users access protected resources without authentication, Craft CMS redirects them to the login page while maintaining the original request URL as a return parameter. This return URL is then stored in the session file without proper sanitization, allowing an attacker to inject malicious content that gets written to the session file. Since session files are stored in a predictable location with predictable naming conventions, an attacker can potentially craft a session ID that points to a specific session file containing their malicious payload, which could then be executed as PHP code when the session file is processed.
The operational impact of this vulnerability extends beyond simple code execution, as it can enable attackers to escalate privileges and gain full control over the web server. This vulnerability aligns with CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and relates to the broader category of server-side code injection attacks. The attack vector is particularly dangerous because it can be combined with other vulnerabilities to create a complete exploitation chain, potentially allowing attackers to achieve persistent access to the application and underlying server infrastructure. The vulnerability also demonstrates poor adherence to the principle of least privilege, as session files are created with default permissions that may allow arbitrary code execution.
Security practitioners should immediately implement mitigations that include upgrading to the patched versions 5.7.5 and 4.15.3, which contain proper input sanitization for redirect URLs and session management. Additionally, organizations should review their PHP session configuration to ensure that session files are stored in secure locations with restricted permissions, and consider implementing additional security controls such as web application firewalls that can detect and block suspicious session-related requests. The vulnerability also highlights the importance of following the ATT&CK framework's concept of "T1059.007 - Command and Scripting Interpreter: PHP" where attackers can leverage PHP execution capabilities to gain system access, making it essential to monitor for unusual PHP file access patterns and session file modifications. Organizations should also consider implementing proper session management practices that include random session ID generation, secure session storage, and regular session cleanup to prevent exploitation of similar vulnerabilities.