Craft CMS Remote Code Execution Vulnerability via PHP register_argc_argv
CVE-2024-56145 Published on December 18, 2024

RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.

Github Repository NVD

Known Exploited Vulnerability

This Craft CMS Code Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.

The following remediation steps are recommended / required by June 23, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2024-56145 has been classified to as a Code Injection vulnerability or weakness.


Products Associated with CVE-2024-56145

Want to know whenever a new CVE is published for Craftcms Craft Cms? stack.watch will email you.

Craftcms Craft Cms
 

Affected Versions

craftcms cms:

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-56145

Package Manager Vulnerable Package Versions Fixed In
composer craftcms/cms >= 5.0.0-RC1, < 5.5.2 5.5.2
composer craftcms/cms >= 4.0.0-RC1, < 4.13.2 4.13.2

Exploit Probability

EPSS
94.15%
Percentile
99.92%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.