CVE-2025-11905 Overview
CVE-2025-11905 is a code injection vulnerability in yanyutao0402 ChanCMS versions up to 3.3.2. The flaw resides in the getArticle function within app\modules\cms\controller\gather.js. An attacker with low privileges can manipulate input to inject and execute arbitrary code over the network. The exploit details have been published, increasing the likelihood of opportunistic attacks against exposed instances. The vendor was contacted prior to public disclosure but did not respond. This issue is tracked under [CWE-74] (Injection) and [CWE-94] (Improper Control of Generation of Code).
Critical Impact
Remote attackers with low privileges can inject code into ChanCMS instances through the getArticle function, leading to confidentiality, integrity, and availability impact on the application.
Affected Products
- yanyutao0402 ChanCMS versions up to and including 3.3.2
- Component: app\modules\cms\controller\gather.js
- Vulnerable function: getArticle
Discovery Timeline
- 2025-10-17 - CVE-2025-11905 published to the National Vulnerability Database (NVD)
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-11905
Vulnerability Analysis
The vulnerability exists in the getArticle function of ChanCMS's content gathering module. The function processes attacker-controllable input without sufficient validation or sanitization before passing it to a code-evaluation context. This permits an authenticated remote attacker to introduce code that the server interprets and executes within the Node.js runtime hosting ChanCMS.
Because ChanCMS is a JavaScript-based content management platform, code injection in a controller routine effectively allows manipulation of server-side application logic. Successful exploitation can affect article gathering workflows and any data or resources reachable by the application process.
Root Cause
The root cause is improper neutralization of input used in a code generation or evaluation context within gather.js. The getArticle handler accepts request parameters and incorporates them into a dynamic construct without enforcing a strict allowlist. This matches the [CWE-94] pattern of unsafe code construction and the broader [CWE-74] injection class.
Attack Vector
The attack vector is network-based. An authenticated user with low privileges sends a crafted request to the ChanCMS endpoint that invokes getArticle. The manipulated parameter is passed through the vulnerable code path and processed by the server. No user interaction is required beyond the attacker's own request. Public exploit information has been released through the referenced GitHub vulnerability discovery note.
No verified proof-of-concept code is reproduced here. See the VulDB entry #328915 and the referenced GitHub notes for technical details.
Detection Methods for CVE-2025-11905
Indicators of Compromise
- Unexpected outbound network connections from the Node.js process hosting ChanCMS
- Anomalous child processes spawned by the ChanCMS application
- HTTP requests to gather-related endpoints containing JavaScript syntax, backticks, or escape sequences in parameter values
- Modifications to files within app\modules\cms\controller\ outside of deployment windows
Detection Strategies
- Inspect web access logs for requests targeting gather controller routes with abnormal parameter content
- Apply web application firewall rules that flag JavaScript reserved words and code constructs in query and body parameters
- Monitor the Node.js runtime for unexpected use of eval, Function, or child_process APIs through runtime instrumentation
Monitoring Recommendations
- Enable verbose application logging for the getArticle handler and forward logs to a central analytics platform
- Alert on parent-child process relationships where the ChanCMS service spawns shell interpreters
- Track outbound DNS and HTTP requests originating from the application host for unfamiliar destinations
How to Mitigate CVE-2025-11905
Immediate Actions Required
- Restrict network access to ChanCMS administrative and gather endpoints using firewall or reverse proxy rules
- Require strong authentication and remove unnecessary low-privilege accounts that can reach the getArticle endpoint
- Audit existing ChanCMS deployments for signs of exploitation referenced in the Indicators of Compromise section
- Place the application behind a web application firewall configured to inspect parameter values for code constructs
Patch Information
No vendor patch has been published. The vendor was contacted before disclosure but did not respond. Organizations running ChanCMS 3.3.2 or earlier should track the project repository for updates and consider applying input validation patches manually in app\modules\cms\controller\gather.js.
Workarounds
- Disable or block access to the content gather feature if not required for production use
- Implement input validation at the reverse proxy layer to reject parameter values containing JavaScript syntax
- Run the ChanCMS process under a least-privilege account with no shell access and a restricted filesystem view
- Isolate the ChanCMS host in a network segment with strict egress controls to limit post-exploitation movement
# Example reverse proxy rule (nginx) to block suspicious parameters on gather routes
location ~ ^/cms/gather/ {
if ($args ~* "(eval\(|Function\(|require\(|child_process|process\.)") {
return 403;
}
proxy_pass http://chancms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

