Login Sign Up

CVE-2025-11905

6.3 MEDIUM
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code through code injection in the getArticle function of ChanCMS. It affects all ChanCMS installations up to version 3.3.2 that have the vulnerable component exposed. Attackers can exploit this without authentication to compromise the CMS server.

💻 Affected Systems

Products:
  • ChanCMS
Versions: Up to and including 3.3.2
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with the vulnerable gather.js component are affected regardless of configuration.

📦 What is this software?

Chancms by Chancms

View all CVEs affecting Chancms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to website defacement, data theft, or installation of backdoors for persistent access.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in GitHub repositories, making this easily exploitable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch is available as the vendor did not respond to disclosure. Consider migrating to alternative CMS solutions.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Remove or disable access to the app/modules/cms/controller/gather.js file

mv app/modules/cms/controller/gather.js app/modules/cms/controller/gather.js.disabled

Implement input validation

all

Add strict input validation and sanitization for all parameters passed to getArticle function

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block suspicious requests to gather.js endpoints
  • Isolate the ChanCMS instance in a restricted network segment with minimal access

🔍 How to Verify

Check if Vulnerable:

Check if ChanCMS version is 3.3.2 or earlier and if app/modules/cms/controller/gather.js exists

Check Version:

Check package.json or version files in ChanCMS installation directory

Verify Fix Applied:

Verify the gather.js file has been disabled or removed, or that input validation has been implemented

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to /cms/gather/getArticle endpoint
  • Suspicious JavaScript or code patterns in request parameters

Network Indicators:

  • HTTP requests with malicious payloads targeting the vulnerable endpoint
  • Unusual outbound connections from the ChanCMS server

SIEM Query:

source="chan_cms_logs" AND (uri="/cms/gather/getArticle" OR uri LIKE "%gather%") AND (payload CONTAINS "eval" OR payload CONTAINS "require" OR payload CONTAINS "Function")

📊 Metadata

CVE ID: CVE-2025-11905
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.06% exploit probability (18.1th percentile)
Published: October 17, 2025
Last Updated: October 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11905, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)