CVE-2025-68437
SSRF in Craft CMS GraphQL Asset Mutation Enables Data Exposure
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft | From 5.0.0 (inc) to 5.8.20 (inc) |
| craftcms | craft | From 4.0.0 (inc) to 4.16.16 (inc) |
| craftcms | craft | 5.8.21 |
| craftcms | craft | 4.16.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to potential data exposure and infrastructure compromise. Attackers can use it to access internal services or cloud metadata endpoints that are normally restricted, fetch sensitive data, and save it as assets that can be accessed and exfiltrated. This could result in unauthorized disclosure of sensitive information and possible further attacks on the infrastructure.
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) in the Craft CMS GraphQL save_<VolumeName>_Asset mutation. It occurs because the _file input's url parameter allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the url, causing the server to make unauthorized requests to restricted services. The fetched content is then saved as an asset, which can be accessed and exfiltrated.
What immediate steps should I take to mitigate this vulnerability?
Update Craft CMS to the patched versions 5.8.21 or 4.16.17 to mitigate the SSRF vulnerability in the GraphQL save_<VolumeName>_Asset mutation.