Home > Vulnerability Database > CVE-2025-54417

Mend.io Vulnerability Database

CVE-2025-54417

Good to know:

Date: August 8, 2025

Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.

Severity Score

7.5

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-54417

Url: https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-23209

Url: https://github.com/craftcms/cms

Url: https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw

Url: https://www.mend.io/vulnerability-database/CVE-2025-54417

Severity Score

7.5

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Top Fix

Upgrade Version

Upgrade to version craftcms/cms - 4.16.3;craftcms/cms - 5.8.4

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-54417

Good to know:

Date: August 8, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?