CVE-2025-25286
Published: 13 February 2025
Summary
CVE-2025-25286 is a critical-severity Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the RCE vulnerability by applying the patch in Crayfish version 4.1.0.
Enforces authentication and authorization mechanisms to reject requests with invalid Authorization headers before CLI interpolation in the /convert endpoint.
Monitors and controls communications at system boundaries to prevent general Internet access to the web-accessible Homarus microservice.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote code execution flaw in a publicly accessible web microservice (/convert endpoint) exploitable with no authentication or user interaction, directly enabling T1190: Exploit Public-Facing Application for initial access and arbitrary code execution.
NVD Description
Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been…
more
patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.
Deeper analysisAI
CVE-2025-25286 is a remote code execution vulnerability in the Homarus microservice, part of Crayfish, which provides FFmpeg functionality as one of several Islandora 8 microservices. The flaw affects web-accessible installations of Homarus prior to Crayfish version 4.1.0 in certain configurations, stemming from issues mapped to CWE-150 and CWE-157. It carries a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impacts on confidentiality, integrity, and availability.
Attackers require no privileges or user interaction and can exploit the vulnerability by sending crafted requests to Homarus's /convert endpoint. Successful exploitation enables remote code execution on the affected system, potentially allowing full compromise in exposed environments.
The vulnerability is patched in islandora/crayfish:4.1.0, as detailed in the project's GitHub commit and security advisory. Workarounds include restricting general Internet access to Homarus to reduce exploitability or configuring stronger authentication in Crayfish to reject requests with invalid Authorization headers before the problematic CLI interpolation occurs.
Details
- CWE(s)