GHSA-c2p2-hgjg-9r3f: 
PHP vulnerability analysis and mitigation

A critical remote code execution vulnerability was identified in Crayfish's Hypercube component (GHSA-c2p2-hgjg-9r3f), affecting versions <= 4.0.0 of the islandora/crayfish Composer package. The vulnerability was discovered and published on February 12, 2025, allowing potential remote code execution through the X-Islandora-Args Header in web-accessible installations of Hypercube (GitHub Advisory).

The vulnerability has been assigned a Critical severity rating with a CVSS score of 9.5/10. The CVSS v4 metrics indicate Network attack vector, Low attack complexity, Present attack requirements, No privileges required, and No user interaction needed. The vulnerability impacts both vulnerable and subsequent systems with High ratings for Confidentiality, Integrity, and Availability. The vulnerability is associated with CWE-74 and CWE-150 weaknesses (GitHub Advisory).

The vulnerability enables remote code execution in web-accessible installations of Hypercube, potentially compromising system security. Both vulnerable and subsequent systems face high impacts on confidentiality, integrity, and availability, indicating severe potential consequences if successfully exploited (GitHub Advisory).

While no patch is currently available, the vulnerability can be mitigated by ensuring Hypercube is not directly accessible from the Internet. Organizations using official installation methods have Crayfish behind a firewall by default, requiring no additional action. Web server configuration can be modified to validate header structures, though this is only necessary for publicly exposed endpoints. Standard security practices should be maintained (GitHub Advisory).