Critical security flaw reported and patched in Craft CMS
Take action: If you are running Craft CMS, either patch ASAP or disable the PHP register_argc_argv configuration setting. The exploit details and full writeup are public, and Craft CMS is exposed on the internet by design. So hackers will attack it very soon.
Learn More
A critical security vulnerability has been discovered in Craft CMS, a popular content management systems used by over 150,000 websites globally. The vulnerability was discovered by Assetnote's security research team and was responsibly disclosed to the Craft CMS team on November 19th, 2024.
The vulnerability, tracked as CVE-2024-56145 (CVSS score 9.8), allows unauthenticated attackers to execute arbitrary code on affected systems. The vulnerability stems from Craft CMS's handling of command-line arguments in its bootstrap process, specifically when PHP's register_argc_argv configuration setting is enabled (which is the default PHP configuration).
The flaw allows for Remote Code Execution (RCE) without authentication and exposes risk of template injection leading to arbitrary code execution
Affected Versions:
- Craft CMS v5.x: 5.0.0-RC1, < 5.5.2
- Craft CMS v4.x: 4.0.0-RC1, < 4.13.2
- Craft CMS v3.x: 3.0.0, < 3.9.14
The Craft CMS team has patched the vulnerability within 24 hours of disclosure.. Fixed Versions are
- Version 5.5.2
- Version 4.13.2
- Version 3.9.14
Users are advised to patch their CMS systems. If immediate updating is not possible, disable the PHP register_argc_argv configuration setting.
