CVE-2026-25125
MEDIUM4.9EPSS 0.01%October Rain has Environment Variable Exfiltration via INI Parser Interpolation
Description
A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's `parse_ini_string()` function supports `${}` syntax for environment variable interpolation. Attackers with Editor access could inject `${APP_KEY}`, `${DB_PASSWORD}`, or similar patterns into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. These values were then returned to the attacker when the page was reopened. ### Impact - Exfiltration of sensitive environment variables (APP_KEY, DB credentials, AWS keys, etc.) - Could enable further attacks: database access, cookie forgery, AWS resource access - Requires authenticated backend access with Editor permissions - Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible) ### Patches The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version. ### Workarounds If upgrading immediately is not possible: - Restrict Editor tool access to fully trusted administrators only - Ensure database and cloud service credentials are not accessible from the web server's network ### References - Reported by Pentest-Tools.com
Affected packages (1)
- Packagist/october/rain>= 4.0.0, < 4.1.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |