CVE-2025-68456

描述

Unauthenticated users can trigger database backup operations the `updater/backup` action, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. References: https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 ## Affected Endpoints - `POST /admin/actions/updater/backup` (unauthenticated) ## Vulnerability Details ### Root Cause All `updater/*` actions are explicitly configured with anonymous access: ```php // BaseUpdaterController.php protected array|bool|int $allowAnonymous = self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE; ``` ### Attack Vector 1. Send unauthenticated POST request to `/admin/actions/updater/backup` 2. Database backup executes with configured `backupCommand`

如何修補 CVE-2025-68456

要修補 CVE-2025-68456,請將受影響套件升級到下列已修補版本。

• —升級至 5.8.21 或更新版本

CVE-2025-68456 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 5.0.0-RC1, < 5.8.21

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-68456
• PATCHgithub.com/craftcms/cms
• WEBgithub.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
• WEBgithub.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39