CRITICAL🇵🇱 Wersja polska

CVE-2025-25286

CVSS 9.8v3.1pub. 2025-02-13upd. 2026-04-15

Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.

🤖 AI Analysis
How it works

The vulnerability stems from improper handling of input data sent to the `/convert` endpoint of the Homarus microservice, which exposes FFmpeg as a network service. User input is interpolated directly into command-line invocation (CLI interpolation) without adequate validation or sanitization, corresponding to CWE-150 and CWE-157 classifications. An attacker can craft an HTTP request containing a malicious payload that will be executed as a system command on the server side. Risk is significantly limited when the microservice is not directly accessible from the Internet or when the authorization mechanism properly rejects unauthenticated requests before interpolation occurs.

Impact

An attacker can gain full control over the system running Homarus, including the ability to read and modify data and compromise service availability (complete CIA triad). In a scenario without authentication, the vulnerability is remotely exploitable by any network attacker.

Mitigation & patch

The package should be updated to version islandora/crayfish:4.1.0, in which the vulnerability has been fixed. As a workaround, access to Homarus from the Internet should be restricted at the network/firewall level, and Crayfish should be configured to require stronger authentication so that requests with invalid Authorization headers are rejected before the vulnerable CLI interpolation occurs.

Who is affected

The Crayfish package (islandora/crayfish) in versions prior to 4.1.0, particularly installations where the Homarus microservice is directly accessible from the Internet.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References