View the Demo
View the Demo

Craft CMS and CVE-202532432

On April 7, 2025, we received a report of a Craft CMS vulnerability that was based on a vulnerability in the Yii framework. Yii fixed that vulnerability in Yii 2.0.52.

We confirmed the vulnerability as valid and released Craft CMS versions 3.9.15, 4.14.15, and 5.6.17 on April 10th with an application-level fix.

We marked those releases as critical so affected sites would display a banner to control panel users, urging them to update.

On April 17, 2025, we discovered evidence to suggest the vulnerability was being exploited in the wild, so we decided to email all potentially affected license holders, encouraging them to update or install the Craft CMS Security Patches library as a stop-gap.

Triage #

If you check your firewall logs or web server logs and find suspicious POST requests to the actions/assets/generate-transform Craft controller endpoint, specifically with the string __class in the body, then your site has at least been scanned for this vulnerability.

This is not a confirmation that your site has been compromised; it has only been probed.

Mitigation #

The best way to defend your site against this exploit is to update to one of the patched releases. Refer to our updating guide for instructions.

The next-best way to defend your site is to block suspicious payloads at the firewall level.

As a last resort, you can install the Craft CMS Security Patches library. Note that this is a temporary workaround until you can update your site to a patched version.

This has been fixed in Craft 3.9.15, 4.14.15, and 5.6.17. You should ensure you’re running at least one of these versions.

If you believe your site has been compromised:

  • Refresh your security key in case it has already been captured. You can run the php craft setup/security-key command and copy the updated CRAFT_SECURITY_KEY environment variable to all production environments.

  • If you have any other private keys stored as environment variables (e.g. S3 or Stripe), refresh those as well.

  • Rotate your database credentials.

  • Out of an abundance of caution, you may want to force all your users to reset their passwords in case your database is compromised. You can do that by running php craft resave/users --set passwordResetRequired --to "fn() => true"

Firewall #

You can block potentially malicious requests at your firewall by inspecting incoming POST body requests to the actions/assets/generate-transform endpoint for the string __class.

Craft Cloud #

We have configured Craft Cloud’s global firewall to block malicious requests targeting this exploit. Craft Cloud users are still encouraged to update to patched versions of Craft.

We have no evidence of actual exploits on Craft Cloud.

Regardless of where you are hosted, we always recommend keeping your sites up-to-date so that they include the latest security fixes. Read more about hardening your Craft sites, or learn about the steps we take to keep Craft secure.

Credits #

Credit to Orange Cyberdefense for discovering and reporting this bug.

Applies to Craft CMS 5, Craft CMS 4, Craft CMS 3, and Craft Cloud.

New to Craft CMS?

Check out our Getting Started Tutorial.

Community Resources

Our community is active and eager to help. Join us on Discord or Stack Exchange.