Cyber Resilience

CVE-2025-35939

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 07 May 2025

Published
07 May 2025
Modified
24 October 2025
KEV Added
02 June 2025
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.3940 97.4th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-35939 is a medium-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Craftcms Craft Cms. Its CVSS base score is 6.9 (Medium).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Craft CMS is vulnerable to storage of arbitrary content supplied by unauthenticated users inside PHP session files on disk. The affected component is the authentication redirect logic that writes an unsanitized return URL parameter into a file named sess_[session_value] under /var/lib/php/sessions. Versions prior to 5.7.5 and 4.15.3 are impacted.

An unauthenticated remote attacker can supply a crafted return URL containing PHP code or other content when requesting a protected resource. Craft CMS then writes the supplied value into a predictable session file on the server, enabling later access or execution of that content when combined with an independent file-inclusion or code-execution flaw.

The project has published releases 5.7.5 and 4.15.3 that correct the issue, along with a corresponding pull request that adds sanitization of the return URL before it is stored in the session. No information is provided about observed exploitation in the wild.

EU & UK References

Vulnerability details

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file…

more

on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.

CWE(s)
KEV Date Added
02 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

craftcms
craft cms
≤ 4.15.3 · 5.0.0 — 5.7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted return-URL input before it is written into session files.

prevent

Mandates timely application of the vendor patches (5.7.5 / 4.15.3) that add return-URL sanitization and eliminate the flaw.

prevent

Enforces information-flow rules that can block unauthenticated, unsanitized data from being persisted into server-side session storage.

References