CVE-2025-54417: Craft CMS has a theoretical bypass for CVE-2025-23209

August 8, 2025 (updated August 11, 2025)

Pre-requisites:

Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret)
Somehow, manage to create an arbitrary file in Craft’s /storage/backups folder.

With those two pieces in place, you could create a specific, malicious request to the /updater/restore-db endpoint to execute CLI commands remotely.

Fixed in https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57

Reported by Marco O. (segfault)

References

github.com/advisories/GHSA-2vcf-qxv3-2mgw
github.com/craftcms/cms
github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57
github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw
nvd.nist.gov/vuln/detail/CVE-2025-23209
nvd.nist.gov/vuln/detail/CVE-2025-54417

Code Behaviors & Features

Detect and mitigate CVE-2025-54417 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →