CVE-2025-13828
📋 TL;DR
This vulnerability allows any authenticated user, even with low privileges, to install arbitrary Composer packages on Mautic installations. This bypasses the intended security setting that should prevent Composer-based updates when disabled. All Mautic installations with vulnerable versions are affected.
💻 Affected Systems
- Mautic
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control of the Mautic instance, installs backdoors, steals sensitive data, or uses the server for further attacks.
Likely Case
An insider threat or compromised low-privilege account installs malicious packages to escalate privileges or establish persistence.
If Mitigated
With proper access controls and monitoring, unauthorized package installations are detected and blocked before causing damage.
🎯 Exploit Status
Exploitation requires authenticated access but minimal technical skill. The advisory provides enough detail for attackers to craft exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.4
Vendor Advisory: https://github.com/mautic/mautic/security/advisories/GHSA-3fq7-c5m8-g86x
Restart Required: No
Instructions:
1. Backup your Mautic installation and database. 2. Update to Mautic 5.1.4 or later via the official update mechanism. 3. Verify the update completed successfully. 4. Review installed packages for any unauthorized additions.
🔧 Temporary Workarounds
Restrict Composer Access
linuxRemove Composer executable or restrict permissions to prevent low-privilege users from running Composer commands.
chmod 750 /usr/local/bin/composer
chown root:root /usr/local/bin/composer
Disable Package Management Interface
allTemporarily disable the web interface for package management if not needed.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can access the Mautic admin interface.
- Monitor Composer package installation logs and set up alerts for unauthorized package additions.
🔍 How to Verify
Check if Vulnerable:
Check your Mautic version. If it's below 5.1.4 and uses Composer, you are vulnerable.Check Version:
php app/console mautic:versionVerify Fix Applied:
After updating, verify the version is 5.1.4 or higher and test that low-privilege users cannot install packages via Composer.📡 Detection & Monitoring
Log Indicators:
- Unusual Composer package installations
- Package installation attempts by non-admin users
- Changes to composer.json or composer.lock files
Network Indicators:
- Outbound connections to package repositories from unexpected users
SIEM Query:
source="mautic_logs" AND ("composer install" OR "package installed") AND user!="admin"