Craft CMS GraphQL Asset Mutation DNS Rebinding Vulnerability Allowing SSRF

A server-side request forgery (SSRF) vulnerability has been identified in Craft CMS versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The issue arises in the GraphQL Asset mutation, where the server's validation of asset URLs performs DNS resolution separately from the actual HTTP request. This time-of-check-time-of-use (TOCTOU) flaw enables DNS rebinding attacks, allowing an attacker to manipulate DNS responses and access blocked cloud metadata endpoints, bypassing previous security measures. Exploitation requires specific GraphQL permissions for managing assets in the affected volume.

Impact

Exploitation of this vulnerability bypasses cloud metadata SSRF protections, allowing access to all blocked IPs, not just IPv6 endpoints. This could lead to unauthorized access to sensitive metadata, such as IAM credentials or service account tokens, depending on the cloud provider.

Reproduction

To reproduce this vulnerability, log into Craft CMS and ensure you have a volume set up with the necessary GraphQL permissions to edit and create assets. Then, use the GraphiQL interface to send a mutation that uploads an asset by providing a URL that will be resolved to a blocked IP address, such as a cloud metadata endpoint. Once the asset is uploaded, the response will include the content fetched from the URL, demonstrating successful exploitation.

Remediation

Users should update to Craft CMS versions 5.8.23 or 4.16.19, both of which address this vulnerability.