Home > Vulnerability Database > CVE-2025-25286

Mend.io Vulnerability Database

CVE-2025-25286

Date: February 12, 2025

Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in "islandora/crayfish:4.1.0". Some workarounds are available. The exploit requires making a request against the Homarus's "/convert" endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with "Authorization" headers that do not validate are rejected before the problematic CLI interpolation occurs.

Severity Score

9.8

Related Resources (5)

Url: https://github.com/Islandora/Crayfish

Url: https://github.com/Islandora/Crayfish/security/advisories/GHSA-mm6v-68qp-f9fw

Url: https://github.com/Islandora/Crayfish/commit/64cb4cec688928798cc40e6f0a0e863d7f69fd89

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-25286

Url: https://www.mend.io/vulnerability-database/CVE-2025-25286

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Escape, Meta, or Control Sequences

CWE-150

Failure to Sanitize Paired Delimiters

CWE-157

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-25286

Date: February 12, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?