Craft CMS Twig Function Blocklist Bypass Vulnerability Allowing Code Execution and More

A vulnerability exists in Craft CMS versions 5.0.0-RC1 through 5.9.0-beta.1 and 4.0.0-RC1 through 4.17.0-beta.1. The issue arises from an incomplete blocklist that fails to prevent certain dangerous PHP functions from being invoked through Twig non-Closure arrow functions. This flaw can be exploited by users with specific permissions, such as those with a compromised admin account, access to the System Messages utility, or who have 'allowAdminChanges' enabled on production. The missing functions in the blocklist could be leveraged to execute various harmful payloads, including remote code execution, arbitrary file reads, server-side request forgery, and server-side template injection.

Impact

Exploitation of this vulnerability could lead to remote code execution, arbitrary file reads, server-side request forgery, or server-side template injection, depending on the PHP functions that are misused.

Remediation

Users should update to Craft CMS versions 5.9.0-beta.1 or 4.17.0-beta.1. After updating, enable the 'enableTwigSandbox' configuration setting, which is enabled by default on new Craft projects. Existing projects will need to manually activate this setting.