cbcvebase.
CVE-2025-35939
published 2025-05-07

CVE-2025-35939: Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an…

PriorityP180medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-06-23
Exploited in the wild
EPSS
1.12%
62.1th percentile
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.

Affected

13 ranges
VendorProductVersion rangeFixed in
craftcmscms
craftcmscms
craftcmscms>= 0 < 4.15.34.15.3
craftcmscms>= 4.15.3 < 4.17.34.17.3
craftcmscms>= 5.0.0-alpha.1 < 5.7.55.7.5
craftcmscms>= 5.7.5 < 5.9.75.9.7
craftcmscraft_cms< 4.15.34.15.3
craftcmscraft_cms>= 4.15.3 < 4.17.34.17.3
craftcmscraft_cms>= 5.0.0 < 5.7.55.7.5
craftcmscraft_cms>= 5.7.5 < 5.9.75.9.7
msrccbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0
msrccbl2_kernel_5.15.200.1-1_on_cbl_mariner_2.0
msrccbl2_kernel_5.15.202.1-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

path/var/lib/php/sessions
filenamesess_[session_value]
pathsrc/web/User.php
  • Monitor for unauthenticated requests that include PHP code or unusual payloads in the return URL parameter, which Craft CMS stores unsanitized in session files at /var/lib/php/sessions.
  • Alert on session files at /var/lib/php/sessions (named sess_<value>) containing PHP code strings, as these may represent pre-positioned payloads for local file inclusion or code execution chaining.
  • Detect chaining of CVE-2025-35939 with CVE-2024-58136 (as represented by CVE-2025-32432); look for LFI/RCE attempts referencing /var/lib/php/sessions paths following unauthenticated redirect requests to Craft CMS.
  • Inspect Set-Cookie response headers from Craft CMS login redirects; the session value returned can be used to predict the server-side session filename (sess_<value>) where attacker-controlled content is stored.
  • ·The patch in Craft CMS 5.7.5 / 4.15.3 uses strip_tags() in src/web/User.php to sanitize return URLs, but this only removes HTML tags and does NOT filter URL schemes (e.g., javascript:), leaving a residual XSS risk (CVE-2026-31859) fixed only in 5.9.7 / 4.17.3.
  • ·CVE-2025-35939 is actively exploited in the wild and has been added to CISA's KEV catalog; federal agencies are required to remediate by 2025-06-23.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.9MEDIUM
osv6.9MEDIUM
vulncheck9.0CRITICAL
cisa9.8CRITICAL
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.