CVE-2024-56145 Overview
CVE-2024-56145 is a critical remote code execution vulnerability in Craft CMS, a flexible, user-friendly content management system for creating custom digital experiences. This vulnerability affects Craft CMS installations where the PHP configuration has register_argc_argv enabled, allowing unauthenticated attackers to achieve remote code execution through a network-accessible attack vector.
Critical Impact
This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Unauthenticated attackers can achieve complete system compromise through remote code execution.
Affected Products
- Craft CMS versions prior to 3.9.14
- Craft CMS versions prior to 4.13.2
- Craft CMS versions prior to 5.5.2
Discovery Timeline
- 2024-12-18 - CVE-2024-56145 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2024-56145
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code, also known as Code Injection). The flaw exists in how Craft CMS processes certain input when the PHP register_argc_argv directive is enabled in the server's php.ini configuration.
When register_argc_argv is enabled, PHP populates the $_SERVER['argv'] and $_SERVER['argc'] variables with command-line arguments passed to the script. In a web context, this setting can be abused to inject malicious parameters through the query string, as the query string is parsed into the argv array. Craft CMS fails to properly sanitize or validate these injected arguments before processing them, creating an attack surface for code injection.
The vulnerability allows unauthenticated remote attackers to execute arbitrary code on the target server without any user interaction. This represents a complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of CVE-2024-56145 lies in the application's failure to account for the behavior of PHP's register_argc_argv directive. When this directive is enabled, user-controlled input from the HTTP query string can be passed to the application as command-line arguments, bypassing expected input validation mechanisms.
The vulnerable code path does not sanitize or validate the contents of $_SERVER['argv'] before using them in security-sensitive operations, allowing attackers to inject malicious payloads that ultimately lead to code execution.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft a malicious HTTP request to a vulnerable Craft CMS instance where register_argc_argv is enabled. The query string parameters are parsed into the argv array, and the injected payload is processed by the vulnerable code path, resulting in arbitrary code execution.
The exploitation complexity is low, and public proof-of-concept code is available in the GitHub PoC Repository. Given the active exploitation documented by CISA, organizations should treat remediation as an emergency priority.
Detection Methods for CVE-2024-56145
Indicators of Compromise
- Unusual HTTP requests with complex or encoded query string parameters targeting Craft CMS endpoints
- Web server logs showing requests with command-injection patterns or shell metacharacters in query strings
- Unexpected process spawning from the PHP process or web server worker processes
- New or modified files in the Craft CMS installation directory, particularly in writable directories
Detection Strategies
- Monitor web application firewall (WAF) logs for requests containing shell metacharacters, command injection patterns, or unusual encoding in query strings
- Implement network intrusion detection rules to identify exploitation attempts targeting Craft CMS instances
- Review PHP process behavior for unexpected child process creation or network connections
- Deploy file integrity monitoring on the Craft CMS installation to detect unauthorized modifications
Monitoring Recommendations
- Enable detailed access logging on web servers hosting Craft CMS and retain logs for forensic analysis
- Configure alerting for any modification to critical Craft CMS configuration files
- Monitor system resource usage for anomalies that could indicate post-exploitation activity
- Implement egress filtering to detect command-and-control communications from compromised servers
How to Mitigate CVE-2024-56145
Immediate Actions Required
- Update Craft CMS immediately to version 3.9.14, 4.13.2, or 5.5.2 depending on your installed major version
- If patching is not immediately possible, disable register_argc_argv in your php.ini configuration as a temporary mitigation
- Verify PHP configuration across all environments (development, staging, production) to ensure consistency
- Conduct a forensic review of affected systems if they were exposed prior to patching, given the known exploitation status
Patch Information
Craft CMS has released security updates addressing this vulnerability. The fix is documented in the GitHub Commit Changes. Organizations should update to one of the following patched versions:
- Version 3.9.14 for Craft CMS 3.x installations
- Version 4.13.2 for Craft CMS 4.x installations
- Version 5.5.2 for Craft CMS 5.x installations
Additional technical details are available in the GitHub Security Advisory.
Workarounds
- Disable register_argc_argv in the PHP configuration to eliminate the attack vector
- Implement WAF rules to block requests containing suspicious query string patterns targeting Craft CMS
- Restrict network access to Craft CMS administrative interfaces to trusted IP ranges
- Consider placing the Craft CMS installation behind a reverse proxy with additional request filtering capabilities
# Disable register_argc_argv in php.ini
# Locate your php.ini file and add or modify the following line:
register_argc_argv = Off
# Restart your web server/PHP-FPM after making changes
# For Apache:
sudo systemctl restart apache2
# For Nginx with PHP-FPM:
sudo systemctl restart php-fpm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
