CVE-2025-46731 in Craft
Summary
by MITRE • 05/05/2025
Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/03/2025
This vulnerability resides within Craft CMS, a popular content management system that powers numerous websites and web applications. The flaw manifests as a potential remote code execution vulnerability through Server-Side Template Injection (SSTI) in the Twig templating engine. The vulnerability specifically affects versions prior to 4.14.13 on the 4.x branch and 5.6.16 on the 5.x branch, representing a critical security gap that could enable attackers to execute arbitrary code on affected systems. The exploit requires administrative privileges and the specific configuration parameter ALLOW_ADMIN_CHANGES to be enabled, which significantly limits the attack surface but does not eliminate the risk entirely.
The technical implementation of this vulnerability leverages the Twig templating system's ability to process user-supplied input within template contexts. When an administrator with elevated privileges manipulates template variables or parameters in a way that bypasses proper input sanitization, an attacker can inject malicious code that gets executed server-side. This represents a classic server-side template injection vulnerability that falls under CWE-94, which specifically addresses "Improper Control of Generation of Code ('Code Injection')." The vulnerability's exploitation requires both authentication and a specific configuration setting, making it less likely to be exploited in the wild but still dangerous when conditions are met.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with complete control over the affected Craft CMS instance. An attacker who successfully exploits this vulnerability could access sensitive data, modify content, create new administrative accounts, or even use the compromised system as a launch point for further attacks within the network infrastructure. The requirement for administrative access and the ALLOW_ADMIN_CHANGES flag means that the attack vector is more targeted, but the potential damage remains severe since administrators typically have broad system access and can manipulate core application functionality. This vulnerability directly maps to ATT&CK technique T1059.001, which covers "Command and Scripting Interpreter: PowerShell," as the execution of arbitrary code could involve PowerShell or other system commands.
Organizations using Craft CMS should prioritize immediate remediation by upgrading to the patched versions 4.14.13 for the 4.x branch or 5.6.16 for the 5.x branch. Security teams should also review their configuration settings to ensure that ALLOW_ADMIN_CHANGES is disabled unless absolutely necessary for legitimate administrative tasks. Additional mitigations include implementing strict access controls, monitoring for unusual administrative activities, and maintaining comprehensive logging of template modifications. The vulnerability demonstrates the importance of secure coding practices in template engines and highlights the need for proper input validation and sanitization, particularly in systems that allow dynamic content generation. Regular security assessments and vulnerability scanning should be conducted to identify similar issues in other components of the web application stack.