CVE-2025-52122
BaseFortify
Publication date: 2025-08-27
Last updated on: 2025-09-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| solspace | freeform | From 5.0.0 (inc) to 5.10.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52122 is a Server-Side Template Injection (SSTI) vulnerability in the Freeform plugin for CraftCMS versions 5.0.0 to before 5.10.16. It allows users who have permission to edit forms to inject and execute arbitrary system commands through the submission title field. This happens because Freeform uses the Twig templating engine and improperly validates user input when using the 'call' filter, enabling attackers to execute commands like making network requests or running other system commands on the server. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full system compromise, data theft, service disruption, or unauthorized access. Since it allows arbitrary code execution on the server, an attacker can run any command with the privileges of the web server, potentially leading to loss of data integrity, confidentiality, and availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for suspicious Twig expressions in the submission title fields of Freeform forms, especially those containing the 'call' filter with system commands. You can search your database or form submissions for patterns like '{{' and 'call(' to identify potential exploitation attempts. Additionally, monitoring outgoing network requests for unusual curl or other system command invocations triggered by form submissions may help detect exploitation. Specific commands might include database queries to find submission titles containing Twig expressions or network monitoring tools to detect unexpected outbound connections. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Freeform to version 5.10.16 or later, where the vulnerability has been fixed. Until the upgrade can be applied, restrict or disable user permissions to edit forms or submission titles to prevent exploitation. Additionally, review and sanitize any user input that is processed by the Twig templating engine, and monitor for suspicious activity related to form submissions. [1]