CVE-2025-0502

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://craftercms.com/docs/current/security/advisory.html#cv-2025011501	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:craftercms:craftercms::::::::
	cpe:2.3:a:craftercms:craftercms::::::::

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

15 Dec 2025, 20:57

Type	Values Removed	Values Added
Summary		(es) La vulnerabilidad de transmisión de recursos privados a una nueva esfera ('fuga de recursos') en CrafterCMS Engine en Linux, MacOS, x86, Windows, 64 bit, ARM permite la indexación de directorios y la exposición de fugas de recursos. Este problema afecta a CrafterCMS: desde la versión 4.0.0 hasta la 4.0.8, desde la versión 4.1.0 hasta la 4.1.6.
First Time		Microsoft Craftercms Linux linux Kernel Linux Craftercms craftercms Microsoft windows Apple macos Apple
CPE		cpe:2.3:a:craftercms:craftercms:::::::: cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::*
References	~~() https://craftercms.com/docs/current/security/advisory.html#cv-2025011501 -~~	() https://craftercms.com/docs/current/security/advisory.html#cv-2025011501 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

15 Jan 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-15 18:15

Updated : 2025-12-15 20:57

NVD link : CVE-2025-0502

Mitre link : CVE-2025-0502

CVE.ORG link : CVE-2025-0502

JSON object : View

Products Affected

craftercms

craftercms

linux

linux_kernel

microsoft

windows

apple

macos

CWE

CWE-402

Transmission of Private Resources into a New Sphere ('Resource Leak')

{"id": "CVE-2025-0502", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security@craftersoftware.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-01-15T18:15:24.650", "references": [{"url": "https://craftercms.com/docs/current/security/advisory.html#cv-2025011501", "tags": ["Vendor Advisory"], "source": "security@craftersoftware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@craftersoftware.com", "description": [{"lang": "en", "value": "CWE-402"}]}], "descriptions": [{"lang": "en", "value": "Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6."}, {"lang": "es", "value": " La vulnerabilidad de transmisi\u00f3n de recursos privados a una nueva esfera ('fuga de recursos') en CrafterCMS Engine en Linux, MacOS, x86, Windows, 64 bit, ARM permite la indexaci\u00f3n de directorios y la exposici\u00f3n de fugas de recursos. Este problema afecta a CrafterCMS: desde la versi\u00f3n 4.0.0 hasta la 4.0.8, desde la versi\u00f3n 4.1.0 hasta la 4.1.6."}], "lastModified": "2025-12-15T20:57:41.123", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:craftercms:craftercms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1376168B-9D16-436C-A524-A636B3D0828D", "versionEndExcluding": "4.0.8", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:craftercms:craftercms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D214D37-1C07-45CA-9A91-872F1F26CBC1", "versionEndExcluding": "4.1.6", "versionStartIncluding": "4.1.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@craftersoftware.com"}