Craft CMS GraphQL Asset Mutation Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Craft CMS versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The vulnerability arises in the GraphQL Asset mutation, where the SSRF validation relies on 'gethostbyname()', a function that only resolves IPv4 addresses. This limitation allows attackers to bypass SSRF protections by exploiting hostnames with only IPv6 records, thereby accessing internal services or cloud metadata endpoints. The vulnerability requires specific GraphQL permissions for asset management within the targeted volume, and it represents a bypass of the security fix for CVE-2025-68437.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal network resources, bypassing firewall rules and conducting network reconnaissance. In cloud environments, this could lead to the theft of sensitive credentials from metadata endpoints, resulting in a full compromise of the infrastructure.

Reproduction

To reproduce this vulnerability, log into a Craft CMS instance with the necessary GraphQL permissions to edit and create assets. Use the GraphiQL interface to send a mutation that uploads an asset by providing a URL that resolves to an internal IPv6 address, such as one pointing to an AWS metadata service. The request will bypass the SSRF validation and access the internal resource, potentially leading to credential theft.

Remediation

Users should update to Craft CMS versions 4.16.19 or 5.8.23, both of which address this vulnerability.