CVE-2025-25286
published 2025-02-13CVE-2025-25286: Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.94%
56.4th percentile
Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| islandora | crayfish | < 4.1.0 | 4.1.0 |
| islandora | crayfish | >= 0 < 4.1.0 | 4.1.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Crayfish allows Remote Code Execution via Homarus Authorization header
osv·2025-01-15
CVE-2025-25286 [CRITICAL] Crayfish allows Remote Code Execution via Homarus Authorization header
Crayfish allows Remote Code Execution via Homarus Authorization header
### Impact
Remote code execution may be possible in web-accessible installations of Homarus in certain configurations.
### Patches
The issue has been patched in `islandora/crayfish:4.1.0`
### Workarounds
The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus.
Configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.
### References
- XBOW-024-071
GHSA
Crayfish allows Remote Code Execution via Homarus Authorization header
ghsa·2025-01-15
CVE-2025-25286 [CRITICAL] CWE-150 Crayfish allows Remote Code Execution via Homarus Authorization header
Crayfish allows Remote Code Execution via Homarus Authorization header
### Impact
Remote code execution may be possible in web-accessible installations of Homarus in certain configurations.
### Patches
The issue has been patched in `islandora/crayfish:4.1.0`
### Workarounds
The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus.
Configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.
### References
- XBOW-024-071
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-13
Published