Craft CMS 5.7.5/4.15.3: Unauth Stored Arbitrary Content in Session Files (PHP)
CVE-2025-35939 Published on May 7, 2025
Craft CMS stores user-provided content in session files
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
Known Exploited Vulnerability
This Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
The following remediation steps are recommended / required by June 23, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2025-35939 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an Assumed-Immutable Parameter Tampering Vulnerability?
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
CVE-2025-35939 has been classified to as an Assumed-Immutable Parameter Tampering vulnerability or weakness.
Products Associated with CVE-2025-35939
Want to know whenever a new CVE is published for Craftcms Craft Cms? stack.watch will email you.
Affected Versions
Craft CMS:- Before 5.7.5 is affected.
- Version 5.7.5 is unaffected.
- Before 4.15.3 is affected.
- Version 4.15.3 is unaffected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-35939
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | craftcms/cms | >= 4.15.3, <= 4.17.2 | 4.17.3 |
| composer | craftcms/cms | >= 5.7.5, <= 5.9.6 | 5.9.7 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.