CVE-2025-35939: 
PHP vulnerability analysis and mitigation

CVE-2025-35939 affects Craft CMS and was disclosed on May 7, 2025. The vulnerability allows unauthenticated users to store arbitrary content in session files on the server. Specifically, when Craft CMS redirects unauthenticated requests to the login page, it generates session files at /var/lib/php/sessions named sess_[session_value], where the session value is provided to the client via a Set-Cookie header. The vulnerability stems from the CMS storing return URLs without proper sanitization (NVD).

The vulnerability is classified as CWE-472 (External Control of Assumed-Immutable Web Parameter). It has received a CVSS v4.0 base score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows unauthenticated users to introduce arbitrary values, including potentially malicious PHP code, to a known local file location on the server. This content could potentially be accessed and executed if combined with an independent vulnerability (NVD).

Craft CMS has released versions 5.7.5 and 4.15.3 to address this vulnerability. The fix includes sanitization of return URLs before they are saved to the PHP session (GitHub Release 5.7.5, GitHub Release 4.15.3).