CVE-2025-35939 Overview
CVE-2025-35939 is a session file content injection vulnerability in Craft CMS that allows unauthenticated users to store arbitrary content in server-side session files. The vulnerability stems from improper input sanitization when Craft CMS handles authentication redirects, enabling attackers to inject potentially malicious content—including PHP code—into predictable file locations on the server.
When Craft CMS receives requests requiring authentication, it redirects users to the login page while generating a session file at /var/lib/php/sessions. These session files follow a predictable naming convention (sess_[session_value]), where the session value is provided to the client via a Set-Cookie response header. Critically, Craft CMS stores the return URL without sanitizing parameters, allowing unauthenticated attackers to inject arbitrary values into known file locations.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. When combined with an independent vulnerability such as a Local File Inclusion (LFI), attackers could potentially achieve remote code execution by having the server execute the injected PHP code stored in session files.
Affected Products
- Craft CMS versions prior to 5.7.5
- Craft CMS versions prior to 4.15.3
- craftcms craft_cms (all vulnerable versions)
Discovery Timeline
- May 7, 2025 - CVE-2025-35939 published to NVD
- October 24, 2025 - Last updated in NVD database
Technical Details for CVE-2025-35939
Vulnerability Analysis
This vulnerability represents a classic case of improper input validation (CWE-472) where user-controlled input is stored server-side without adequate sanitization. The attack exploits the session management mechanism in Craft CMS, specifically how the application handles return URLs during authentication workflows.
The core issue lies in the trust placed on user-supplied URL parameters during the redirect process. When an unauthenticated user attempts to access a protected resource, Craft CMS stores the requested URL in the session file to redirect the user back after successful authentication. However, the absence of proper sanitization means that attackers can craft malicious requests containing arbitrary content, including PHP code snippets, which are then written verbatim to the session file.
This vulnerability alone enables arbitrary content injection but requires a secondary vulnerability (such as LFI) to achieve code execution. The predictable nature of session file paths (/var/lib/php/sessions/sess_[session_value]) combined with attacker-controlled session values creates a reliable primitive for storing malicious payloads at known locations.
Root Cause
The root cause is the lack of input sanitization when storing return URLs in PHP session files. Craft CMS directly writes the client-supplied return URL parameter to the session file without filtering or encoding potentially dangerous content. This violates the security principle of never trusting user input, especially when that input is persisted to server-side storage.
The vulnerability is classified under CWE-472 (External Control of Assumed-Immutable Web Parameter), as the application assumes the return URL parameter will contain only valid URL data, when in reality an attacker can supply arbitrary content including executable code.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Sending an HTTP request to a protected Craft CMS endpoint
- Including malicious PHP code within the URL parameters
- Receiving a session cookie with a predictable session identifier
- The malicious content is written to /var/lib/php/sessions/sess_[session_value]
- If a secondary vulnerability exists (e.g., LFI), the attacker can include the session file and execute the injected code
The attack leverages standard HTTP mechanisms and requires only the ability to send crafted HTTP requests to the target server. The vulnerability's inclusion in the CISA KEV catalog indicates that threat actors are actively exploiting this technique in real-world attacks.
Detection Methods for CVE-2025-35939
Indicators of Compromise
- Unusual content patterns in PHP session files located at /var/lib/php/sessions/
- Session files containing PHP code markers such as <?php, <?=, or encoded PHP payloads
- Abnormally large session files or files with non-standard serialized data
- HTTP requests to protected endpoints with suspicious URL parameters containing code-like patterns
Detection Strategies
- Monitor web application logs for requests with unusual URL parameter content, particularly those containing PHP syntax or encoded payloads
- Implement file integrity monitoring on the PHP sessions directory to detect suspicious content patterns
- Deploy Web Application Firewall (WAF) rules to detect and block requests containing PHP code patterns in URL parameters
- Use behavioral analysis to identify anomalous session creation patterns or rapid session generation from single sources
Monitoring Recommendations
- Configure alerts for any PHP session files containing executable code patterns or abnormal content
- Monitor for increased error rates related to session handling or file inclusion attempts
- Track authentication redirect patterns for anomalies indicating exploitation attempts
- Review server access logs for requests targeting protected endpoints with oversized or malformed URL parameters
How to Mitigate CVE-2025-35939
Immediate Actions Required
- Upgrade Craft CMS 5.x installations to version 5.7.5 or later immediately
- Upgrade Craft CMS 4.x installations to version 4.15.3 or later immediately
- Review and purge existing PHP session files for any suspicious content
- Implement additional server-side input validation as a defense-in-depth measure
- Consider blocking public access to the CMS admin panel until patching is complete
Patch Information
CraftCMS has released patched versions addressing this vulnerability. The fix is available in:
- Craft CMS 5.7.5 (GitHub Release 5.7.5)
- Craft CMS 4.15.3 (GitHub Release 4.15.3)
The GitHub Pull Request #17220 contains the technical details of the fix, which implements proper sanitization of return URL parameters before storing them in session files.
Organizations should prioritize this patch given the vulnerability's presence in the CISA Known Exploited Vulnerabilities catalog.
Workarounds
- Implement WAF rules to sanitize or block requests containing PHP code patterns in URL parameters
- Configure PHP to use an alternative session storage mechanism (e.g., database or Redis) that is not directly accessible via file inclusion
- Restrict file system permissions on the PHP sessions directory to prevent web server processes from including files from that location
- Deploy network-level controls to limit access to the Craft CMS application while awaiting patching
# Example: Configure restrictive permissions on PHP sessions directory
chmod 700 /var/lib/php/sessions
chown www-data:www-data /var/lib/php/sessions
# Example: WAF rule pattern to detect PHP code in URL parameters (ModSecurity format)
# SecRule ARGS "@rx <\?php|<\?=" "id:100001,phase:1,deny,status:403,msg:'Potential PHP injection attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
