CVE-2025-68436
📋 TL;DR
This vulnerability allows authenticated users on Craft CMS installations to expose sensitive assets through maliciously crafted requests targeting user profile photos. The issue affects Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attackers could access sensitive files or assets stored on the server that should be protected, potentially including configuration files, database backups, or other restricted content.
Likely Case
Authenticated users with malicious intent could access files they shouldn't have permission to view, potentially exposing sensitive information stored in the Craft installation.
If Mitigated
With proper access controls and monitoring, the impact is limited to authenticated users only, and sensitive assets should already be protected through additional security layers.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of how to craft malicious requests targeting the user profile photo functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.21 and 4.16.17
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
Restart Required: No
Instructions:
1. Backup your Craft installation and database. 2. Update Craft CMS to version 5.8.21 (for Craft 5) or 4.16.17 (for Craft 4). 3. Verify the update was successful by checking the version in the control panel.
🔧 Temporary Workarounds
Restrict user profile photo uploads
allDisable or restrict user profile photo functionality to prevent exploitation of this vulnerability.
Implement additional file access controls
allAdd web server rules to restrict access to sensitive directories and files.
🧯 If You Can't Patch
- Restrict user permissions to minimize authenticated users who could exploit this vulnerability.
- Implement strict monitoring of user profile photo uploads and file access patterns.
🔍 How to Verify
Check if Vulnerable:
Check your Craft CMS version in the control panel (Settings → System) or via composer show craftcms/cms.Check Version:
composer show craftcms/cms | grep versionVerify Fix Applied:
Verify the version is 5.8.21 or higher (for Craft 5) or 4.16.17 or higher (for Craft 4) after updating.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns in user profile photo uploads or access
- Multiple failed attempts to access files via user profile endpoints
- Requests with unusual parameters to user photo endpoints
Network Indicators:
- Unusual traffic patterns to /index.php?p=admin/actions/users/save-user-photo or similar endpoints
SIEM Query:
source="web_logs" AND (uri_path="*save-user-photo*" OR uri_path="*user*photo*") AND (status_code=200 OR status_code=403) | stats count by src_ip, uri_path