There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain.
This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).
Required Permissions
Vulnerability Details
The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE.
Attack Vector
Admin panel → Settings → Entry Types → Title Format field
Proof of Concept Payload
{% set p = create("Symfony\\Component\\Process\\Process", [["id"]])
%}{{ p.mustRun.getOutput }}
Steps to Reproduce
- Log in as admin
- Navigate to Settings → Entry Types
- Edit any entry type’s "Title Format" field
- Insert the payload above
- Create/edit an entry of that type
- Command executes, output appears in entry title
Impact
- Authenticated Remote Code Execution
- Runs as web server user (root in default Docker setup)
- Full server compromise
Root Cause
Craft::createObject() allows the instantiation of any class, including
Symfony\Component\Process\Process, which executes shell commands.
Suggested Fix
- Blocklist dangerous classes in createObject() when called from Twig
- Or remove/restrict the create() Twig function
- Or validate class names against an allowlist
References
e31e508
There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the
create()Twig function combined with a Symfony Process gadget chain.This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).
Required Permissions
allowAdminChangesenabled in production (against our security recommendations) or access to System Messages utilityVulnerability Details
The
create()Twig function exposesCraft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundledsymfony/processdependency, this enables RCE.Attack Vector
Admin panel → Settings → Entry Types → Title Format field
Proof of Concept Payload
Steps to Reproduce
Impact
Root Cause
Craft::createObject() allows the instantiation of any class, including
Symfony\Component\Process\Process, which executes shell commands.Suggested Fix
References
e31e508