Cyber Resilience

CVE-2025-0502

Medium

Published: 15 January 2025

Published
15 January 2025
Modified
15 December 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 65.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0502 is a medium-severity Resource Leak (CWE-402) vulnerability in Craftercms Craftercms. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-0502 is a Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in the CrafterCMS Engine, enabling Directory Indexing and Resource Leak Exposure. It affects CrafterCMS versions from 4.0.0 prior to 4.0.8 and from 4.1.0 prior to 4.1.6, across Linux, macOS, x86, Windows, 64-bit, and ARM platforms. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and maps to CWE-402.

Remote unauthenticated attackers can exploit this vulnerability with low attack complexity and no user interaction. Exploitation grants access to private resources via directory indexing and leaks, leading to high-impact confidentiality loss through exposure of sensitive data and high-impact availability disruption.

The official CrafterCMS security advisory provides mitigation guidance at https://craftercms.com/docs/current/security/advisory.html#cv-2025011501. Affected systems should be upgraded to CrafterCMS 4.0.8 or later, or 4.1.6 or later, to address the issue.

EU & UK References

Vulnerability details

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct exploitation of public-facing CrafterCMS Engine via unauthenticated directory indexing/resource leak for sensitive data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21218Same product: Apple Macos
CVE-2026-32178Same product: Apple Macos
CVE-2026-3598Same product: Apple Macos
CVE-2026-28710Same product: Linux Linux Kernel
CVE-2024-41763Same product: Linux Linux Kernel
CVE-2025-23310Same product: Linux Linux Kernel
CVE-2025-23311Same product: Linux Linux Kernel
CVE-2025-23319Same product: Linux Linux Kernel
CVE-2025-23318Same product: Linux Linux Kernel
CVE-2024-41767Same product: Linux Linux Kernel

Affected Assets

craftercms
craftercms
4.0.0 — 4.0.8 · 4.1.0 — 4.1.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the resource leak vulnerability by requiring timely patching of CrafterCMS to fixed versions 4.0.8 or 4.1.6 as per the vendor advisory.

prevent

Ensures secure configuration settings in the CrafterCMS engine to disable directory indexing and prevent exposure of private resources.

prevent

Restricts public access to private resources, directly countering the directory indexing leak that exposes sensitive data without authentication.

References