CVE-2025-25286
Published: 13 February 2025
Summary
CVE-2025-25286 is a critical-severity Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
Crayfish is a collection of Islandora 8 microservices, and the Homarus component exposes FFmpeg functionality via a web endpoint. Prior to version 4.1.0, the service performed insufficient validation of input supplied to the /convert endpoint, allowing command-line argument interpolation that could be abused for remote code execution when the microservice was reachable over the network. The vulnerability is tracked as CVE-2025-25286 with a CVSS 3.1 score of 9.8 and is associated with CWE-150 and CWE-157.
An unauthenticated remote attacker can send a crafted request directly to the Homarus /convert endpoint and achieve arbitrary command execution on the underlying host, resulting in full confidentiality, integrity, and availability impact. Exploitation requires the microservice to be web-accessible and does not depend on user interaction or authentication in the vulnerable configurations.
The issue is fixed in islandora/crayfish:4.1.0. The published advisory recommends either blocking unauthenticated Internet access to Homarus entirely or enforcing stricter authorization checks so that requests containing invalid Authorization headers are rejected before any CLI interpolation occurs. The associated commit and GitHub Security Advisory provide the patch details.
EPSS for the CVE remains low and unchanged at 0.0438 with no observed upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0100
Vulnerability details
Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been…
more
patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote code execution flaw in a publicly accessible web microservice (/convert endpoint) exploitable with no authentication or user interaction, directly enabling T1190: Exploit Public-Facing Application for initial access and arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the RCE vulnerability by applying the patch in Crayfish version 4.1.0.
Enforces authentication and authorization mechanisms to reject requests with invalid Authorization headers before CLI interpolation in the /convert endpoint.
Monitors and controls communications at system boundaries to prevent general Internet access to the web-accessible Homarus microservice.