CVE-2025-25286
📋 TL;DR
CVE-2025-25286 is a critical remote code execution vulnerability in Crayfish's Homarus microservice that provides FFmpeg functionality. Attackers can execute arbitrary code by making requests to the /convert endpoint. Organizations running Islandora 8 with Crayfish microservices are affected.
💻 Affected Systems
- Islandora Crayfish
- Crayfish Homarus microservice
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to data exfiltration, service disruption, or deployment of cryptocurrency miners/ransomware.
If Mitigated
Limited impact with proper network segmentation and authentication controls preventing exploitation.
🎯 Exploit Status
Exploitation requires access to the /convert endpoint. No authentication bypass needed in default configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.0
Vendor Advisory: https://github.com/Islandora/Crayfish/security/advisories/GHSA-mm6v-68qp-f9fw
Restart Required: Yes
Instructions:
1. Update Crayfish to version 4.1.0 or later. 2. Update dependencies: composer update islandora/crayfish. 3. Restart all Crayfish microservices. 4. Verify the patch is applied.
🔧 Temporary Workarounds
Network Segmentation
linuxPrevent internet access to Homarus microservice by placing it behind a firewall or in a private network segment.
iptables -A INPUT -p tcp --dport [HOMARUS_PORT] -s [ALLOWED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [HOMARUS_PORT] -j DROP
Enhanced Authentication
allConfigure Crayfish to require strong authentication, rejecting requests without valid Authorization headers before CLI interpolation occurs.
Configure Crayfish authentication settings in .env or configuration files
🧯 If You Can't Patch
- Implement strict network access controls to block external access to Homarus /convert endpoint
- Enable and enforce strong authentication for all Crayfish microservices
🔍 How to Verify
Check if Vulnerable:
Check Crayfish version: composer show islandora/crayfish | grep version. If version is below 4.1.0, system is vulnerable.Check Version:
composer show islandora/crayfish | grep versionVerify Fix Applied:
Verify version is 4.1.0 or higher: composer show islandora/crayfish. Test /convert endpoint with malformed input to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /convert endpoint
- Multiple failed authentication attempts
- Suspicious command execution patterns in Homarus logs
Network Indicators:
- Unusual traffic to Homarus port from external IPs
- Large number of requests to /convert endpoint
- Malformed HTTP requests to microservices
SIEM Query:
source="crayfish.logs" AND (uri_path="/convert" AND (http_method!="POST" OR user_agent="*malicious*" OR status_code=500))