CVE-2025-68454 Overview
CVE-2025-68454 is an authenticated Remote Code Execution (RCE) vulnerability affecting Craft CMS, a popular platform for creating digital experiences. The vulnerability exists due to improper neutralization of special elements used in a template engine (CWE-1336), allowing attackers to exploit Server-Side Template Injection (SSTI) in Twig templates.
This vulnerability affects Craft CMS versions 5.0.0-RC1 through 5.8.20 and versions 4.0.0-RC1 through 4.16.16. Exploitation requires either administrator access with allowAdminChanges enabled, or a non-administrator account with access to the System Messages utility. Attackers can craft malicious payloads using the Twig map filter in text fields that accept Twig input, ultimately achieving remote code execution on the underlying server.
Critical Impact
Authenticated attackers can achieve remote code execution on Craft CMS installations by exploiting Twig SSTI through the map filter in Settings text fields or the System Messages utility.
Affected Products
- Craft CMS versions 5.0.0-RC1 through 5.8.20
- Craft CMS versions 4.0.0-RC1 through 4.16.16
Discovery Timeline
- 2026-01-05 - CVE-2025-68454 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-68454
Vulnerability Analysis
This vulnerability stems from improper handling of user-controlled input within Twig template processing in Craft CMS. The Twig templating engine, while powerful for content rendering, can become a security liability when user-supplied data is processed without adequate sanitization.
The exploitation path involves the Twig map filter, which can be abused in text fields that accept Twig input. These vulnerable fields exist within the Settings section of the Craft Control Panel and within the System Messages utility. When a malicious payload is injected into these fields, Twig processes the template syntax, potentially executing arbitrary code on the server.
The attack requires authentication, which limits the attack surface. However, once an attacker gains access to an administrator account (or a non-admin account with System Messages access), they can leverage this SSTI vulnerability to achieve full remote code execution. This could lead to complete server compromise, data exfiltration, lateral movement within the network, and persistent backdoor installation.
Root Cause
The root cause is a Server-Side Template Injection (SSTI) vulnerability classified as CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine). Craft CMS fails to properly sanitize or restrict Twig template syntax in certain text fields, allowing the map filter to be weaponized for code execution.
The vulnerability exists because:
- Text fields in Settings and System Messages accept Twig template syntax
- The Twig map filter can be chained with other functions to execute arbitrary code
- Input validation does not adequately prevent malicious template constructs
Attack Vector
The attack leverages network-based access to the Craft CMS Control Panel. An attacker must first authenticate to the system with appropriate privileges:
- Administrator Access Path: Requires admin credentials and allowAdminChanges to be enabled (against Craft CMS recommendations for production)
- System Messages Path: Requires any account with access to the System Messages utility, even without admin privileges and with allowAdminChanges disabled
Once authenticated, the attacker navigates to text fields that process Twig templates and injects a malicious payload using the map filter. The Twig engine processes the template, resulting in arbitrary code execution with the privileges of the web server process.
The vulnerability mechanism involves crafting malicious Twig template syntax that abuses the map filter functionality. When this payload is processed by the Twig templating engine, it can call arbitrary PHP functions, leading to remote code execution. For detailed technical analysis of the exploitation technique, see the GitHub Security Advisory GHSA-742x-x762-7383.
Detection Methods for CVE-2025-68454
Indicators of Compromise
- Unusual modifications to System Messages or Settings text fields containing Twig syntax with the map filter
- Unexpected outbound network connections from the web server process
- Anomalous process spawning from PHP or web server processes
- Log entries showing repeated access to Craft CMS Control Panel Settings or System Messages endpoints
- Presence of web shells or backdoors in the Craft CMS installation directory
Detection Strategies
- Monitor web application logs for POST requests to Settings and System Messages endpoints containing suspicious Twig template syntax
- Implement file integrity monitoring on Craft CMS core files and template directories
- Deploy web application firewalls (WAF) with rules to detect SSTI patterns in request bodies
- Review audit logs for changes to System Messages and Settings by users who typically don't modify these areas
Monitoring Recommendations
- Enable comprehensive logging for Craft CMS Control Panel authentication and configuration changes
- Set up alerts for Twig template syntax patterns commonly associated with SSTI exploitation (e.g., map, filter, reduce functions combined with shell execution patterns)
- Monitor for abnormal PHP process behavior including unexpected system calls or network connections
- Implement user behavior analytics to detect accounts accessing sensitive configuration areas outside normal patterns
How to Mitigate CVE-2025-68454
Immediate Actions Required
- Update Craft CMS to version 5.8.21 or 4.16.17 immediately to address this vulnerability
- Disable allowAdminChanges in all non-development environments as recommended by Craft CMS
- Audit user accounts and remove unnecessary access to the System Messages utility
- Review recent changes to System Messages and Settings text fields for potentially malicious content
- Rotate credentials for administrator accounts if compromise is suspected
Patch Information
Craft CMS has released patched versions that address this vulnerability:
- Version 5.x: Update to 5.8.21 or later
- Version 4.x: Update to 4.16.17 or later
The fix is documented in the GitHub Changelog and the specific code changes can be reviewed in the commit d82680f. For complete details on the vulnerability and remediation, consult the GitHub Security Advisory.
Workarounds
- Set allowAdminChanges to false in production environments to limit the attack surface for administrator accounts
- Restrict access to the System Messages utility to only essential personnel
- Implement network segmentation to limit access to the Craft CMS Control Panel from trusted networks only
- Consider placing a web application firewall in front of Craft CMS to filter potentially malicious template injection attempts
# Configuration example - Disable allowAdminChanges in config/general.php
# Add or modify the following in your Craft CMS configuration:
# 'allowAdminChanges' => false,
# This prevents changes to project config via the Control Panel in production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
