CVE-2025-35939 – CVE-2025-35939 is a session file injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-35939?

CVE-2025-35939 has a CVSS score of 5.3 (MEDIUM). CVE-2025-35939 is a session file injection vulnerability in Craft CMS where unauthenticated users can inject arbitrary content into server-side session files. This could lead to remote code execution if combined with another vulnerability to access and execute the injected content. Affects Craft CMS installations before versions 5.7.5 and 4.15.3.

📋 TL;DR

CVE-2025-35939 is a session file injection vulnerability in Craft CMS where unauthenticated users can inject arbitrary content into server-side session files. This could lead to remote code execution if combined with another vulnerability to access and execute the injected content. Affects Craft CMS installations before versions 5.7.5 and 4.15.3.

💻 Affected Systems

Products:

Craft CMS

Versions: All versions before 5.7.5 and 4.15.3

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default Craft CMS configurations using PHP session storage.

📦 What is this software?

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Session file corruption, denial of service, or preparation for future exploitation if combined with other vulnerabilities.

🟢

If Mitigated

Limited impact with proper session file permissions and web server isolation preventing file execution.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes internet-facing systems primary targets.

🏢 Internal Only: MEDIUM - Internal systems still vulnerable but attack surface reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires chaining with another vulnerability to execute injected content, but injection itself is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.5 or 4.15.3

Vendor Advisory: https://github.com/craftcms/cms/releases/tag/5.7.5

Restart Required: No

Instructions:

1. Backup your Craft CMS installation and database. 2. Update to Craft CMS 5.7.5 (for Craft 5) or 4.15.3 (for Craft 4). 3. Verify update via admin panel. 4. Clear PHP session files at /var/lib/php/sessions/.

🔧 Temporary Workarounds

Restrict Session File Permissions

linux

Set strict permissions on PHP session directory to prevent file execution.

chmod 600 /var/lib/php/sessions/*
chown www-data:www-data /var/lib/php/sessions/

Session Storage Isolation

all

Move session storage outside web root or use database session storage.

Edit php.ini: session.save_path = "/var/php_sessions"
mkdir /var/php_sessions && chmod 700 /var/php_sessions

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious session parameter patterns.
Monitor and alert on unusual session file modifications in /var/lib/php/sessions/.

🔍 How to Verify

Check if Vulnerable:

Check Craft CMS version in admin panel or via composer show craftcms/cms. Versions below 5.7.5 (Craft 5) or 4.15.3 (Craft 4) are vulnerable.

Check Version:

composer show craftcms/cms | grep version

Verify Fix Applied:

Confirm version is 5.7.5 or higher (Craft 5) or 4.15.3 or higher (Craft 4). Test that session parameters are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual session file creation/modification timestamps in /var/lib/php/sessions/
HTTP requests with suspicious parameters in return URLs

Network Indicators:

HTTP requests containing PHP code patterns in URL parameters
Multiple session creation attempts from single IP

SIEM Query:

source="/var/log/nginx/access.log" OR source="/var/log/apache2/access.log" | search "returnUrl=*php*" OR "returnUrl=*eval*" OR "returnUrl=*system*"

📊 Metadata

CVE ID: CVE-2025-35939

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-472

EPSS Score: 20.81% exploit probability (95.5th percentile)

CISA KEV: Actively Exploited added Jun 2, 2025

Published: May 7, 2025

Last Updated: October 24, 2025

🔗 References

https://github.com/craftcms/cms/pull/17220 Patch
https://github.com/craftcms/cms/releases/tag/4.15.3 Release Notes
https://github.com/craftcms/cms/releases/tag/5.7.5 Release Notes
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35939 VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35939, you might also want to check these: