Craft CMS GraphQL Mutation SSRF Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Craft CMS GraphQL 'saveAsset' mutation. This issue affects Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The vulnerability arises because the mutation's URL validation can be bypassed. Guzzle, the HTTP client used by Craft, follows redirects by default. An attacker can exploit this by hosting a redirect to cloud metadata endpoints or internal IP addresses, effectively circumventing SSRF protections.

Impact

Exploitation of this vulnerability allows attackers to access cloud metadata services or internal network resources, potentially leading to unauthorized data exposure or manipulation.

Reproduction

To reproduce this vulnerability, host a redirect script that points to a cloud metadata endpoint, such as '169.254.169.254/latest/meta-data/'. Then, send a GraphQL mutation using the 'saveAsset' mutation, including the URL of the redirect script. The application will validate the initial URL but will ultimately follow the redirect to the metadata endpoint, bypassing SSRF protections and allowing access to sensitive metadata.

Remediation

Users can update to Craft CMS versions 4.16.18 or 5.8.22, where this vulnerability has been patched.