CVE-2025-25286

Name of the Vulnerable Software and Affected Versions: Crayfish versions prior to 4.1.0

Description: Remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The exploit requires making a request against the Homarus's "/convert" endpoint. To reduce the ability to exploit, it is recommended to prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with Authorization headers that do not validate are rejected before the problematic CLI interpolation occurs.

Recommendations: For Crayfish versions prior to 4.1.0, update to version 4.1.0 to resolve the issue. As a temporary workaround, consider preventing general access from the Internet from hitting Homarus. Additionally, configure auth in Crayfish to be more strongly required, such that requests with Authorization headers that do not validate are rejected before the problematic CLI interpolation occurs.