Source: security-advisories@github.com
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
Craft CMS versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 are vulnerable to a Server-Side Request Forgery (SSRF) attack due to a Time-of-Check-Time-of-Use (TOCTOU) vulnerability in the GraphQL Asset mutation. This allows attackers to bypass security measures and access internal resources by exploiting a DNS rebinding attack, potentially leading to sensitive data exposure or system compromise.
Step 1: Setup Attacker DNS Server: The attacker sets up a DNS server that initially resolves a target domain (e.g., internal.example.com) to a legitimate, publicly accessible IP address.
Step 2: Craft GraphQL Payload: The attacker crafts a GraphQL mutation request to create or update an asset in Craft CMS, specifying a URL that points to the target domain (e.g., internal.example.com) within the <VolumeName> volume. The attacker must have permissions to edit assets.
Step 3: Submit GraphQL Request: The attacker submits the crafted GraphQL request to the vulnerable Craft CMS instance.
Step 4: Initial DNS Resolution (Validation): Craft CMS performs a DNS lookup for the target domain (e.g., internal.example.com). The attacker's DNS server responds with the initially configured public IP address.
Step 5: DNS Rebinding (Exploitation): After the initial DNS lookup, but before the HTTP request is made, the attacker's DNS server is reconfigured to resolve the target domain to a private IP address (e.g., an internal IP address like 192.168.1.1 or the loopback address 127.0.0.1).
Step 6: HTTP Request (Exploitation): Craft CMS makes the HTTP request to the target domain. Because of the DNS rebinding, the request is now sent to the private IP address, bypassing any intended restrictions.
Step 7: Access Internal Resources: The attacker's request is now directed to the internal resource, allowing the attacker to potentially access sensitive information or interact with internal services.
The vulnerability stems from a flaw in how Craft CMS validates URLs within its GraphQL Asset mutation. The system performs DNS resolution separately from the HTTP request, creating a TOCTOU condition. The initial DNS lookup is used for validation, but the subsequent HTTP request uses the potentially different IP address returned by the attacker-controlled DNS server. The root cause is the lack of synchronization between the DNS resolution and the HTTP request, allowing for a DNS rebinding attack. The validation logic does not account for the possibility of the IP address changing between the validation and the request, leading to the bypass of security controls designed to prevent access to internal or restricted resources. This is a regression of CVE-2025-68437, which was intended to address similar issues.
While no specific APT groups are explicitly linked to this CVE at this time, the nature of the vulnerability (SSRF) makes it attractive to various threat actors. The ability to access internal resources makes it a valuable attack vector for reconnaissance, data exfiltration, and lateral movement. CISA KEV status: Not Applicable (as of the provided date).
Monitor network traffic for unusual HTTP requests originating from the Craft CMS server to internal IP addresses or the loopback address (127.0.0.1).
Analyze Craft CMS server logs for GraphQL mutation requests that include suspicious URLs, especially those pointing to internal domains or IP addresses.
Implement network-based intrusion detection systems (IDS) with rules to identify DNS rebinding attempts. This can involve monitoring DNS traffic for rapid IP address changes associated with specific domains.
Monitor DNS server logs for rapid IP address changes associated with domains used in Craft CMS asset management.
Upgrade Craft CMS to versions 4.16.19 or 5.8.23 or later to patch the vulnerability.
Implement strict input validation and sanitization for all URLs used in the GraphQL Asset mutation.
Enforce a consistent DNS resolution mechanism for both validation and the HTTP request. This could involve using a DNS resolver that caches results for a short period or using a single DNS lookup and caching the result.
Restrict access to the GraphQL schema, particularly the Asset mutation, to only authorized users and roles.
Implement network segmentation to isolate the Craft CMS server from sensitive internal resources.
Regularly audit and review GraphQL schema permissions to ensure least privilege access.
Consider using a web application firewall (WAF) to filter malicious requests and block known SSRF attempts.