CVE-2025-65960

// CVE-2025-65960 PoC - Contao Template::once() RCE // Requires backend user access with template editing privileges // Example malicious template closure that could trigger RCE $maliciousClosure = function() { // Attempt to call PHP function without required parameters // This exploits the lack of validation in Template::once() call_user_func('system', 'whoami'); }; // In Contao context, the vulnerability allows attackers to: // 1. Inject crafted closures into template files // 2. Trigger execution through Template::once() method // 3. Execute arbitrary PHP functions // Example attack vector: // Backend user with template edit rights creates/modifies template // containing malicious closure that gets processed by vulnerable code path // Note: Actual exploitation requires specific Contao template manipulation // Refer to official patch for complete remediation

{"cve": {"id": "CVE-2025-65960", "sourceIdentifier": "[email protected]", "published": "2025-11-25T19:15:51.203", "lastModified": "2025-12-03T17:55:34.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\\Template::once() method."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.7, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-351"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.13.57", "matchCriteriaId": "476CF4CA-7225-4CE2-B400-9D69AFB9C609"}, {"vulnerable": true, "criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.3.42", "matchCriteriaId": "13024496-5AD3-4439-983D-5D29485E9A26"}, {"vulnerable": true, "criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.0", "versionEndExcluding": "5.6.5", "matchCriteriaId": "839D1FF5-F939-4BE8-B0E6-182DBF9A1A5B"}]}]}], "references": [{"url": "https://contao.org/en/security-advisories/remote-code-execution-in-template-closures", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}