CVE-2025-32432: Craft CMS Allows Remote Code Execution
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.
References
- craftcms.com/knowledge-base/craft-cms-cve-2025-32432
- github.com/advisories/GHSA-f3gw-9ww9-jmc3
- github.com/craftcms/cms
- github.com/craftcms/cms/blob/3.x/CHANGELOG.md
- github.com/craftcms/cms/blob/4.x/CHANGELOG.md
- github.com/craftcms/cms/blob/5.x/CHANGELOG.md
- github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
- github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
- github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
- nvd.nist.gov/vuln/detail/CVE-2025-32432
Code Behaviors & Features
Detect and mitigate CVE-2025-32432 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →