CVE-2024-56145: 
PHP vulnerability analysis and mitigation

CVE-2024-56145 is a critical remote code execution (RCE) vulnerability affecting Craft CMS, a flexible, user-friendly content management system. The vulnerability was discovered in December 2024 and affects Craft versions 5.0.0-RC1 to 5.5.2 (excluded), 4.0.0-RC1 to 4.13.2 (excluded), and 3.0.0 to 3.9.14 (excluded). The vulnerability is present when the PHP configuration setting 'register_argc_argv' is enabled, which is the default configuration in the official Craft CMS docker image (Assetnote Blog, GitHub Advisory).

The vulnerability exists in the bootstrap/bootstrap.php file of Craft CMS, where command-line options are processed without verifying whether the code is running in a CLI environment. The flaw leverages the behavior of the register_argc_argv PHP configuration, which allows query string arguments to populate the $_SERVER['argv'] array, mimicking command-line input. The vulnerability has been assigned a CVSS score of 9.3 (Critical), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD).

The vulnerability enables unauthenticated remote code execution on affected Craft CMS installations. Attackers can manipulate paths like --templatesPath or --configPath, forcing the CMS to load arbitrary files. This can lead to complete system compromise, particularly through the exploitation of template files loaded via FTP wrapper, bypassing Craft CMS's built-in sandboxing mechanisms (Assetnote Blog).

The vulnerability has been patched in Craft CMS versions 5.5.2, 4.13.2, and 3.9.14. Users are strongly advised to update to these versions or later. For those unable to upgrade immediately, a temporary mitigation is available by disabling the register_argc_argv setting in the php.ini configuration file (GitHub Advisory).

The Craft CMS team responded promptly to the vulnerability disclosure, releasing patches within 24 hours. The security community has noted the widespread impact potential, given that Craft CMS powers over 150,000 websites worldwide, ranging from small businesses to large enterprises (Assetnote Blog).