Mautic user without privileged access to the Marketplace can install and uninstall composer packages

CVE-2025-13828 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Summary

A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked.

Impact

A low-privileged user of the platform can install malicious code to obtain higher privileges.

Basic information

Type
reviewed
Severity
critical
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-12-02 21:10:39 UTC
Updated
2025-12-02 21:10:41 UTC
GitHub reviewed
2025-12-02 21:10:39 UTC
NVD published
2025-12-02

EPSS Score

Score Percentile
0.07% 22.49%

CVSS Scores

Base score Version Severity Vector
9.0 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:H)
High confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:H)
High integrity impact on subsequent systems.
Subsequent system availability impact (SA:H)
High availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-3fq7-c5m8-g86x ↗
CVE CVE-2025-13828 ↗

CWEs

CWE id Name
CWE-284 Improper Access Control
CWE-862 Missing Authorization

Credits

  • driskell (reporter)
  • escopecz (remediation_reviewer)
  • patrykgruszka (remediation_reviewer)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer mautic/core >= 4.0.0, < 4.4.18 4.4.18
composer mautic/core >= 5.0.0, < 5.2.9 5.2.9
composer mautic/core >= 6.0.0, < 6.0.7 6.0.7

References

cvelogic Threat Intelligence