CVE-2025-52122
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-27

Last updated on: 2025-09-09

Assigner: MITRE

Description
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-27
Last Modified
2025-09-09
Generated
2026-06-16
AI Q&A
2025-08-27
EPSS Evaluated
2026-06-14
NVD
CVE-2025-52122
EUVD
EUVD-2025-25900
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
solspace freeform From 5.0.0 (inc) to 5.10.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-52122 is a Server-Side Template Injection (SSTI) vulnerability in the Freeform plugin for CraftCMS versions 5.0.0 to before 5.10.16. It allows users who have permission to edit forms to inject and execute arbitrary system commands through the submission title field. This happens because Freeform uses the Twig templating engine and improperly validates user input when using the 'call' filter, enabling attackers to execute commands like making network requests or running other system commands on the server. [1]

Impact Analysis

This vulnerability can have severe impacts including full system compromise, data theft, service disruption, or unauthorized access. Since it allows arbitrary code execution on the server, an attacker can run any command with the privileges of the web server, potentially leading to loss of data integrity, confidentiality, and availability. [1]

Detection Guidance

This vulnerability can be detected by checking for suspicious Twig expressions in the submission title fields of Freeform forms, especially those containing the 'call' filter with system commands. You can search your database or form submissions for patterns like '{{' and 'call(' to identify potential exploitation attempts. Additionally, monitoring outgoing network requests for unusual curl or other system command invocations triggered by form submissions may help detect exploitation. Specific commands might include database queries to find submission titles containing Twig expressions or network monitoring tools to detect unexpected outbound connections. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Freeform to version 5.10.16 or later, where the vulnerability has been fixed. Until the upgrade can be applied, restrict or disable user permissions to edit forms or submission titles to prevent exploitation. Additionally, review and sanitize any user input that is processed by the Twig templating engine, and monitor for suspicious activity related to form submissions. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52122. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart