CVE-2025-25286

Summary

CVE-2025-25286 is a remote code execution vulnerability affecting the Homarus microservice in Crayfish, a collection of Islandora 8 services. Prior to version 4.1.0, Homarus, which uses FFmpeg as a microservice, contained a flaw that could be exploited in web-accessible installations under certain configurations. The vulnerability has been addressed in `islandora/crayfish:4.1.0`. To minimize the risk, secure access to Homarus by preventing general Internet access or implementing stronger authentication requirements. The exploit relies on making requests to the `/convert` endpoint, so limiting access to this endpoint can further reduce the potential for successful attacks.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.