Overview
CVE-2025-65960 is a medium severity Remote Code Execution (RCE) vulnerability affecting Contao, an Open Source CMS. This vulnerability exists in versions prior to 4.13.57, 5.3.42, and 5.6.5. It allows authenticated back-end users with specific control over template closures to execute arbitrary PHP functions, provided those functions do not require parameters.
The vulnerability stems from insufficient sanitization or validation of user-controlled input within the template processing engine. This can lead to unintended execution of potentially dangerous PHP functions.
Technical Details
The core issue lies within the Contao\Template::once() method and how it handles user-defined template closures. If a back-end user possesses the necessary permissions to manipulate the content of these template closures, they can inject arbitrary PHP function calls. The limitation that functions cannot require parameters offers some constraints, but clever exploitation can still lead to significant compromise.
Specifically, the vulnerability can be triggered when:
- A back-end user has sufficient permissions to modify template content.
- The user inserts a malicious closure that calls a parameterless PHP function.
- The
Contao\Template::once()method processes the malicious template.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-65960 is 6.6 (Medium).
While the score isn’t the highest, it represents a significant risk. The breakdown is as follows (This is a hypothetical breakdown, real CVSS metrics will be available on the NVD website once published.):
- Attack Vector (AV): Network (N) – The vulnerability can be exploited over a network.
- Attack Complexity (AC): High (H) – Requires specific knowledge and conditions to exploit.
- Privileges Required (PR): High (H) – Requires privileged access (backend user).
- User Interaction (UI): None (N) – No user interaction required to trigger the exploit.
- Scope (S): Unchanged (U) – The vulnerability’s impact is limited to the affected component.
- Confidentiality Impact (C): Partial (L) – Some confidential information may be exposed.
- Integrity Impact (I): Partial (L) – Data integrity may be compromised.
- Availability Impact (A): Partial (L) – System availability may be reduced.
The “High” attack complexity and required privileges lower the overall score, but the network attack vector and potential for partial confidentiality, integrity, and availability impacts make it a critical vulnerability to address.
Possible Impact
Successful exploitation of CVE-2025-65960 can lead to:
- Remote Code Execution (RCE): An attacker can execute arbitrary PHP code on the server, potentially gaining complete control of the Contao installation.
- Data Breach: Sensitive data stored within the Contao CMS could be accessed and exfiltrated.
- Website Defacement: The attacker could modify the website’s content to display malicious or unwanted information.
- Denial of Service (DoS): The attacker could cause the Contao CMS to become unavailable, disrupting normal operations.
Mitigation or Patch Steps
The recommended course of action is to upgrade your Contao CMS installation to one of the following versions:
- Contao 4.13.57 or later
- Contao 5.3.42 or later
- Contao 5.6.5 or later
These versions contain the necessary patches to address the vulnerability. Follow the standard Contao upgrade procedures.
Workaround (If Upgrade is Not Immediately Possible)
If an immediate upgrade is not possible, a temporary workaround involves manually patching the Contao\Template::once() method. This requires modifying the core Contao code, which is strongly discouraged unless absolutely necessary and you understand the implications. Consult the linked security advisory for the precise changes needed.
Warning: Manual patching can introduce instability and may be overwritten during future upgrades. Always back up your installation before applying any manual changes.
References
Contao Security Advisory
GitHub Security Advisory
NIST NVD CVE Detail (This link will be active once the CVE is officially listed)
