CVE-2025-35939
Published: 07 May 2025
Summary
CVE-2025-35939 is a medium-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Craftcms Craft Cms. Its CVSS base score is 6.9 (Medium).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Craft CMS is vulnerable to storage of arbitrary content supplied by unauthenticated users inside PHP session files on disk. The affected component is the authentication redirect logic that writes an unsanitized return URL parameter into a file named sess_[session_value] under /var/lib/php/sessions. Versions prior to 5.7.5 and 4.15.3 are impacted.
An unauthenticated remote attacker can supply a crafted return URL containing PHP code or other content when requesting a protected resource. Craft CMS then writes the supplied value into a predictable session file on the server, enabling later access or execution of that content when combined with an independent file-inclusion or code-execution flaw.
The project has published releases 5.7.5 and 4.15.3 that correct the issue, along with a corresponding pull request that adds sanitization of the return URL before it is stored in the session. No information is provided about observed exploitation in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13951
Vulnerability details
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file…
more
on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
- CWE(s)
- KEV Date Added
- 02 June 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted return-URL input before it is written into session files.
Mandates timely application of the vendor patches (5.7.5 / 4.15.3) that add return-URL sanitization and eliminate the flaw.
Enforces information-flow rules that can block unauthenticated, unsanitized data from being persisted into server-side session storage.