Craft CMS GraphQL Mutation Vulnerability Allowing Internal URL Access and AWS Metadata Exfiltration

A vulnerability exists in Craft CMS versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, allowing authenticated attackers to abuse the 'save_images_Asset' GraphQL mutation. This exploitation involves bypassing hostname validation to fetch internal URLs by providing a domain that resolves to an internal IP address. When non-image file extensions like .txt are permitted, this bypasses standard image validation, enabling the retrieval of sensitive data such as AWS instance metadata credentials from the host.

Impact

Exploitation of this vulnerability allows access to sensitive information from the underlying host, including AWS metadata credentials, which could be misused to access AWS resources.

Reproduction

To reproduce this vulnerability, an authenticated user must have a GraphQL token with permissions to use the 'save_images_Asset' mutation. The attacker must register a domain that points to a sensitive internal IP, such as one associated with AWS metadata. Once the domain is set up, the 'save_images_Asset' mutation can be invoked with a URL that includes the internal IP metadata path, using a filename with a .txt extension to bypass image validation. After the mutation is processed, the requested data can be downloaded from the Craft CMS asset URL where it was saved.

Remediation

Users can update to Craft CMS versions 4.16.18 or 5.8.22, where this vulnerability has been patched.