CVE-2026-25498 Overview
CVE-2026-25498 is a Remote Code Execution (RCE) vulnerability affecting Craft CMS, a popular platform for creating digital experiences. The vulnerability exists in the assembleLayoutFromPost() function within src/services/Fields.php, which fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server.
This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path.
Critical Impact
Authenticated administrators can achieve full server compromise through arbitrary command execution by exploiting unsanitized Yii2 behavior configurations.
Affected Products
- Craft CMS versions 4.0.0-RC1 through 4.16.17
- Craft CMS versions 5.0.0-RC1 through 5.8.21
Discovery Timeline
- 2026-02-09 - CVE-2026-25498 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25498
Vulnerability Analysis
This vulnerability is classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), commonly known as Object Injection or unsafe reflection. The flaw exists because the assembleLayoutFromPost() function directly processes JSON-encoded field layout configuration from POST request parameters without proper sanitization.
When Craft CMS processes field layout configurations, the system deserializes and passes the configuration directly to Craft::createObject(), which is Yii2's factory method for instantiating objects. Since Yii2 supports behavior configuration that can include callbacks and closures, an attacker with administrative privileges can craft malicious payloads that inject arbitrary behaviors with system command execution capabilities.
The vulnerability requires authenticated administrator access, limiting the attack surface. However, once exploited, it provides complete server-side code execution, potentially leading to full system compromise, data exfiltration, or lateral movement within the network.
Root Cause
The root cause is the absence of input sanitization on configuration data received from POST requests before object instantiation. The assembleLayoutFromPost() function retrieves the fieldLayout parameter from the request body and passes the decoded JSON directly to createLayout() without validating or cleansing potentially dangerous configuration attributes that Yii2's object factory method interprets as behavior configurations.
Attack Vector
The attack vector is network-based, requiring an authenticated session with administrator privileges. An attacker would:
- Authenticate as an administrator to the Craft CMS control panel
- Craft a malicious JSON payload containing Yii2 behavior configurations with embedded system commands
- Submit the payload via a POST request to an endpoint that processes field layouts
- The assembleLayoutFromPost() function passes the unsanitized configuration to Craft::createObject()
- Yii2 instantiates objects with the attacker-controlled behavior, executing arbitrary system commands
// Security patch in src/services/Fields.php
// Source: https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748
public function assembleLayoutFromPost(?string $namespace = null): FieldLayout
{
$paramPrefix = $namespace ? rtrim($namespace, '.') . '.' : '';
- $config = Json::decode(Craft::$app->getRequest()->getBodyParam($paramPrefix . 'fieldLayout'));
+ $config = ComponentHelper::cleanseConfig(Json::decode(Craft::$app->getRequest()->getBodyParam($paramPrefix . 'fieldLayout')));
return $this->createLayout($config);
}
The patch introduces ComponentHelper::cleanseConfig() to sanitize the decoded JSON configuration before passing it to createLayout(), removing potentially dangerous attributes that could be exploited for behavior injection.
Detection Methods for CVE-2026-25498
Indicators of Compromise
- Unexpected POST requests to Craft CMS admin endpoints containing suspicious fieldLayout parameters with nested behavior configurations
- Web server logs showing unusual JSON payloads with class, behaviors, or callback-related attributes in field layout submissions
- Process execution anomalies where the web server process spawns unexpected child processes or system commands
- File system modifications or new files created by the web server user outside normal application directories
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block POST requests containing Yii2 behavior injection patterns such as behaviors, __class, or serialized closure attributes
- Monitor application logs for field layout submissions with abnormally large or complex JSON structures
- Deploy runtime application self-protection (RASP) to detect and block dangerous object instantiation patterns
- Configure endpoint detection to alert on process execution chains originating from PHP-FPM or web server processes
Monitoring Recommendations
- Enable detailed access logging for all Craft CMS administrative endpoints
- Implement file integrity monitoring on the Craft CMS installation directory
- Configure alerts for any outbound network connections initiated by the web server process
- Review administrator activity logs for unusual field layout modification patterns
How to Mitigate CVE-2026-25498
Immediate Actions Required
- Upgrade Craft CMS to version 5.8.22 or later immediately
- For Craft CMS 4.x deployments, apply the patch from commit 395c64f or upgrade to a patched version
- Audit administrator accounts and remove any unnecessary administrative privileges
- Review access logs for any suspicious POST activity targeting field layout endpoints
Patch Information
The vulnerability is fixed in Craft CMS version 5.8.22. The fix introduces proper sanitization of configuration data using ComponentHelper::cleanseConfig() before object instantiation. Security details are available in the GitHub Security Advisory GHSA-7jx7-3846-m7w7. The patched release is available at GitHub Release 5.8.22.
Workarounds
- Restrict administrative access to trusted IP addresses only using firewall rules or web server configuration
- Implement additional authentication factors for administrator accounts
- Deploy a WAF with rules to block suspicious behavior configuration patterns in request bodies
- Consider temporarily disabling administrative field layout modification features until patching is complete
# Example: Restrict Craft CMS admin access by IP using nginx
location /admin {
allow 10.0.0.0/8;
allow 192.168.1.0/24;
deny all;
# Continue with existing PHP-FPM configuration
try_files $uri $uri/ /index.php?$query_string;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
