AIKIDO-2025-10915
craftcms/cms is vulnerable to Uncontrolled Resource Consumption
30
Low Risk
This Affects:
craftcms/cmsTL;DR
Affected versions of this package are vulnerable to an Unauthenticated Database Backup Denial-of-Service (DoS) due to a missing authorization check in the backup controller action. The vulnerability allowed any remote attacker to repeatedly trigger a full database backup operation via a crafted request to the exposed endpoint, as the old code lacked validation for pending migrations or user permissions. An attacker could exploit this by spamming the backup endpoint, causing the system to generate numerous large backup files simultaneously, exhausting disk I/O, consuming significant CPU and disk space, and ultimately rendering the application or server unresponsive.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
craftcms/cms is vulnerable to Uncontrolled Resource Consumption in versions 5.0.0 - 5.8.20 and 4.0.0 - 4.16.16.
How to fix this
Upgrade the craftcms/cms library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant