Moderate severityOSV Advisory· Published Jan 5, 2026· Updated Jan 6, 2026

Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

CVE-2025-68437

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL save__Asset mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the _file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the url, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Craft CMS GraphQL asset upload mutation lacks URL validation, enabling SSRF to internal services and cloud metadata endpoints.

Vulnerability

Overview

Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4. through 4.16.16 contain a Server-Side Request Forgery (SSRF) vulnerability in the GraphQL save__Asset mutation [1][2]. The _file input's url parameter is not properly validated, allowing the server to fetch content from arbitrary remote locations [2]. This includes internal IP addresses (e.g., 127.0.0.1) and cloud metadata endpoints [2].

Exploitation

An attacker must have GraphQL permissions for "Edit assets" and "Create assets" in the targeted volume [2]. With these permissions, they can craft a mutation that supplies a malicious url parameter, such as http://127.0.0.1:80/index.php or a cloud metadata URL [2]. The server then fetches the content from that URL and saves it as an asset in the volume [2].

Impact

The saved asset's content is accessible via the asset preview or download functionality, allowing the attacker to exfiltrate the fetched data [2]. This can lead to exposure of sensitive internal services, cloud metadata (e.g., IAM credentials), and potential infrastructure compromise [1][2].

Mitigation

Craft CMS has released patched versions 5.8.21 and 4.16.17 that address this vulnerability [1][2][3]. Users are strongly advised to update immediately. No workarounds have been provided [2].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
craftcms/cmsPackagist	>= 5.0.0-RC1, < 5.8.21	5.8.21
craftcms/cmsPackagist	>= 3.5.0, < 4.16.17	4.16.17

Affected products

Craftcms/CMSOSV
Craftcms/Craft CMSllm-fuzzy
Range: >=5.0.0-RC1 <=5.8.20, >=4.0.0-RC1 <=4.16.16

Patches

013db636fdb3

Fix GHSA-x27p-wfqw-hfcc

https://github.com/craftcms/cmsbrandonkellyDec 3, 2025via ghsa

commit

2 files changed · +10 −0

CHANGELOG.md+1 −0 modified

@@ -7,6 +7,7 @@
 - Fixed a PHP error that could occur when creating a username that began or ended with an `@`. ([#18123](https://github.com/craftcms/cms/pull/18123))
 - Fixed a bug where assets with disallowed file extensions could be stored in the system’s temp directory. ([#18049](https://github.com/craftcms/cms/pull/18049))
 - Fixed RCE vulnerabilities. (GHSA-255j-qw47-wjh5, GHSA-742x-x762-7383)
+- Fixed an SSRF vulnerability. (GHSA-x27p-wfqw-hfcc)
 
 ## 4.16.16 - 2025-11-18

src/gql/resolvers/mutations/Asset.php+9 −0 modified

@@ -242,6 +242,15 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
         } elseif (!empty($fileInformation['url'])) {
             $url = $fileInformation['url'];
 
+            // make sure the hostname is alphanumeric and not an IP address
+            $hostname = parse_url($url, PHP_URL_HOST);
+            if (
+                !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||
+                filter_var($hostname, FILTER_VALIDATE_IP)
+            ) {
+                throw new UserError("$url contains an invalid hostname.");
+            }
+
             if (empty($fileInformation['filename'])) {
                 $filename = AssetsHelper::prepareAssetName(pathinfo(UrlHelper::stripQueryString($url), PATHINFO_BASENAME));
             } else {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-x27p-wfqw-hfccghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-68437ghsaADVISORY
github.com/craftcms/cms/blob/5.x/CHANGELOG.mdghsax_refsource_MISCWEB
github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52ghsax_refsource_MISCWEB
github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfccghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000