CVE-2025-23209

Description

### Impact This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret Anyone running an unpatched version of Craft with a compromised security key is affected. ### Patches This has been patched in Craft 5.5.8 and 4.13.8. ### Workarounds If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue. ### References https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603

How to fix CVE-2025-23209

To remediate CVE-2025-23209, upgrade the affected package to a fixed version below.

• —upgrade to 5.5.8 or later

Is CVE-2025-23209 being exploited?

Yes — CVE-2025-23209 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

• >= 5.0.0-RC1, < 5.5.8

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-23209
• PATCHgithub.com/craftcms/cms
• WEBcraftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
• WEBgithub.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603