Craft CMS GraphQL Server-Side Request Forgery Vulnerability in Asset Upload Mutation

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation, affecting versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. The vulnerability allows the server to fetch content from arbitrary remote locations via the `_file` input's `url` parameter, without proper validation. This exploitation can be achieved by providing internal IP addresses or cloud metadata endpoints as the `url`, causing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can be accessed and exfiltrated, potentially leading to data exposure and infrastructure compromise. Exploitation requires specific GraphQL permissions for asset management within the targeted volume.

Impact

Exploitation of this vulnerability allows access to internal network resources, bypassing firewall rules and conducting network reconnaissance. In cloud environments, this could result in the theft of sensitive credentials from metadata endpoints, leading to a full compromise of the underlying infrastructure and exfiltration of sensitive data.

Reproduction

To reproduce this vulnerability, log in to the Craft CMS control panel as an admin. Create a new volume and a new GraphQL schema with the necessary permissions to edit and create assets in the volume. Access the GraphiQL interface and run the `save_<VolumeName>_Asset` mutation, replacing `<VolumeName>` with the name of the volume. Include a URL that points to an internal service or cloud metadata endpoint in the `_file` input. Once the asset is uploaded, its content can be accessed through the asset preview or download functionality.

Remediation

Users should update to Craft CMS versions 5.8.21 and 4.16.17, which include the necessary patch. Instructions for updating can be found in the Craft CMS documentation.