CVE-2025-0502

Summary

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

Affected Software

VendorProductVersion RangeStatus
CrafterCMSCrafterCMS4.0.0 < 4.0.8affected
CrafterCMSCrafterCMS4.1.0 < 4.1.6affected

Weaknesses

  • CWE-402: CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')

Workarounds

Block external access to the two APIs:

  • /api/1/site/content_store/tree.json
  • /api/1/site/content_store/item.json

Another approach is to block all APIs that start with /api/1/site; this can be done by changing server-config.properties to have the property:

restrict site API access

crafter.core.rest.content.store.url.allowedPatterns=^/?site(/.*)?$

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References