Craft CMS GraphQL Mutation Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The issue arises in the 'saveAsset' GraphQL mutation, which attempts to block certain IP addresses using standard IP validation. However, this validation fails to recognize alternative IP notations, such as hexadecimal or mixed formats, allowing attackers to bypass the blocklist and access cloud metadata services. This vulnerability has been patched in Craft CMS versions 4.16.18 and 5.8.22.

Impact

Exploitation of this vulnerability allows for unauthorized access to cloud metadata services, potentially leading to the exposure of sensitive information.

Reproduction

To reproduce this vulnerability, send a GraphQL mutation using the 'save_images_Asset' mutation. Include a URL that uses a hexadecimal notation of an IP address within the169.254.0xa9fe range, which is resolved to169.254.169.254' by Guzzle. The cloud metadata is then fetched and saved, demonstrating the successful bypass of the IP blocklist.

Remediation

Users can update to Craft CMS versions 4.16.18 or 5.8.22 to address this vulnerability.