How severe is CVE-2025-25286?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2025-25286?

This is classified as CWE-150, which is a common weakness in software security.

CVE-2025-25286

CRITICAL Year: 2025

CVSS v3 Score

9.8

Critical

Weakness Type

CWE-150

View all →

Vulnerability Description

Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.

CVE-2017-0899

CRITICAL

CVSS:9.8(Critical)

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequen...

CWE-1502017

CVE-2023-3265

CRITICAL

CVSS:9.8(Critical)

An authentication bypass exists on CyberPower PowerPanel Enterprise by failing to sanitize meta-characters from the username, allowing an attacker to login into the application with the default user "...

CWE-1502023

CVE-2023-26055

CRITICAL

CVSS:9.9(Critical)

XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be e...

CWE-1502023

CVE-2025-47284

CRITICAL

CVSS:9.9(Critical)

Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in the `gardenlet` component of Gardener prior to versions 1.116...

CWE-1502025

CVE-2022-30123

CRITICAL

CVSS:10.0(Critical)

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.

CWE-1502022

CVE-2023-28446

HIGH

CVSS:8.8(High)

Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear th...

CWE-1502023

CVE-2025-25286

Vulnerability Description

Related Vulnerabilities

CVE-2017-0899

CVE-2023-3265

CVE-2023-26055

CVE-2025-47284

CVE-2022-30123

CVE-2023-28446