CVE-2025-60868
📋 TL;DR
The Alt Redirect 1.6.3 addon for Statamic fails to properly sanitize query string parameters when the 'Query String Strip' feature is enabled, allowing attackers to bypass input validation. This vulnerability affects Statamic CMS users running the vulnerable addon version and can lead to cache poisoning, parameter pollution, or denial of service attacks.
💻 Affected Systems
- Statamic CMS with Alt Redirect addon
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could poison CDN or proxy caches to serve malicious content to users, perform parameter pollution attacks to manipulate application logic, or cause denial of service through resource exhaustion.
Likely Case
Cache poisoning leading to users receiving incorrect or malicious content from poisoned caches, potentially enabling phishing or content manipulation attacks.
If Mitigated
With proper input validation and output encoding in place, the impact is limited to potential cache invalidation issues or minor parameter manipulation.
🎯 Exploit Status
Exploitation requires sending specially crafted URLs with query parameters that bypass the strip logic through case variations, encoding, or duplicates.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.6.4 or later
Vendor Advisory: https://statamic.com/addons/alt-design/alt-redirects/release-notes
Restart Required: No
Instructions:
1. Update the Alt Redirect addon to version 1.6.4 or later via Statamic's control panel or Composer. 2. Verify the update completed successfully. 3. Test query string stripping functionality.
🔧 Temporary Workarounds
Disable Query String Strip Feature
allTemporarily disable the vulnerable 'Query String Strip' feature in the Alt Redirect addon configuration.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block malicious query string patterns.
- Deploy reverse proxy with strict query string validation and sanitization.
🔍 How to Verify
Check if Vulnerable:
Check if Alt Redirect addon version is 1.6.3 and 'Query String Strip' feature is enabled in Statamic control panel.Check Version:
Check Statamic control panel → Addons → Alt Redirect or run 'composer show alt-design/alt-redirects'Verify Fix Applied:
Verify Alt Redirect addon version is 1.6.4 or later and test that query strings with case variations, encoded keys, and duplicates are properly stripped.📡 Detection & Monitoring
Log Indicators:
- Unusual query string patterns in access logs
- Multiple similar requests with varying query parameter cases/encodings
Network Indicators:
- HTTP requests with duplicate query parameters
- Requests with URL-encoded query parameters that bypass stripping
SIEM Query:
source="web_access_logs" AND (url_query CONTAINS "?" AND (url_query MATCHES "(?i).*[?&].*=".*" OR url_query MATCHES ".*%[0-9a-fA-F]{2}.*"))