Login Sign Up

CVE-2025-57811

7.2 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a remote code execution vulnerability in Craft CMS via Twig Server-Side Template Injection (SSTI). Attackers can execute arbitrary code on affected systems by injecting malicious templates. This affects Craft CMS versions 4.0.0-RC1 through 4.16.5 and 5.0.0-RC1 through 5.8.6.

💻 Affected Systems

Products:
  • Craft CMS
Versions: 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: This is a follow-up to CVE-2024-52293 with similar exploitation vectors.

📦 What is this software?

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, access sensitive data, install malware, or pivot to other systems.

🟠

Likely Case

Unauthorized access to application data, defacement, or installation of web shells for persistent access.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though RCE risk remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SSTI vulnerabilities are commonly exploited and weaponization is likely given the RCE nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.6 and 5.8.7

Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc

Restart Required: Yes

Instructions:

1. Backup your Craft CMS installation and database. 2. Update Craft CMS to version 4.16.6 (for Craft 4) or 5.8.7 (for Craft 5). 3. Clear template caches. 4. Restart your web server.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and output encoding for all user-controlled template inputs.

WAF Rule Implementation

all

Deploy web application firewall rules to detect and block SSTI payloads.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable systems
  • Deploy application-level monitoring for suspicious template execution patterns

🔍 How to Verify

Check if Vulnerable:

Check your Craft CMS version in the admin panel or via composer show craftcms/cms

Check Version:

composer show craftcms/cms | grep version

Verify Fix Applied:

Confirm version is 4.16.6 or higher (for Craft 4) or 5.8.7 or higher (for Craft 5)

📡 Detection & Monitoring

Log Indicators:

  • Unusual template rendering errors
  • Suspicious template file modifications
  • Unexpected system command execution in logs

Network Indicators:

  • HTTP requests containing Twig template injection payloads
  • Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND ("{{.*}}" OR "{% .* %}" OR "{# .* #}") AND status=200

📊 Metadata

CVE ID: CVE-2025-57811
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1336
EPSS Score: 0.32% exploit probability (54.3th percentile)
Published: August 25, 2025
Last Updated: September 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57811, you might also want to check these:

CVE-2025-46661 10.0

CVE-2025-46661 is an unauthenticated remote code execution vulnerability in IPW Systems Metazo throu...

Same vulnerability type (CWE-1336)
CVE-2025-47916 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary PHP code on Invision...

Same vulnerability type (CWE-1336)
CVE-2024-12583 9.9

The Dynamics 365 Integration plugin for WordPress has a Server-Side Template Injection vulnerability...

Same vulnerability type (CWE-1336)