Source: security-advisories@github.com
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
Craft CMS versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 are vulnerable to a Server-Side Request Forgery (SSRF) bypass. This allows attackers with specific GraphQL permissions to potentially access internal network resources or sensitive data by exploiting a flaw in the IPv6 address handling within the asset upload functionality, leading to a complete bypass of SSRF protection.
Step 1: Authentication and Permission Acquisition: The attacker must have authenticated access to the Craft CMS instance and possess GraphQL schema permissions to edit and create assets within a specific volume (<VolumeName>). This could be achieved through compromised credentials, misconfigured Public Schema with write permissions, or exploiting other vulnerabilities.
Step 2: Crafting the Malicious Payload: The attacker crafts a GraphQL mutation request to upload an asset to the <VolumeName> volume. The asset's source URL is set to a hostname that resolves only to an IPv6 address, targeting an internal resource (e.g., internal.example.com).
Step 3: SSRF Bypass: The GraphQL mutation triggers the asset upload process. The gethostbyname() function is called to resolve the hostname. Because the hostname has only AAAA records, gethostbyname() returns the hostname string.
Step 4: Blocklist Bypass: The returned hostname string is then compared against the blocklist. Since the blocklist likely contains IPv4 addresses or CIDR ranges, the comparison fails, bypassing the SSRF protection.
Step 5: Internal Resource Access: The asset upload process proceeds, attempting to fetch the asset from the internal resource specified by the attacker-controlled hostname. This allows the attacker to potentially access internal network resources or sensitive data, depending on the nature of the targeted resource and the permissions of the Craft CMS instance.
The vulnerability stems from the use of gethostbyname() in Craft CMS's GraphQL Asset mutation for SSRF validation. This function, when resolving hostnames with only AAAA (IPv6) records, returns the hostname string itself instead of an IPv4 address. The subsequent blocklist comparison then fails because it's comparing the hostname string against a list of IPv4 addresses or CIDR ranges, effectively bypassing the intended SSRF protection. The root cause is the inadequate handling of IPv6 addresses within the validation logic, specifically the reliance on gethostbyname() and the subsequent comparison logic. This allows attackers to craft malicious requests that target internal resources by providing a hostname that resolves only to an IPv6 address, which is then not properly validated against the blocklist.
While no specific APTs are directly linked to this vulnerability at this time, the nature of SSRF makes it a high-value target for various threat actors. This vulnerability could be used for reconnaissance, data exfiltration, or lateral movement within a network. CISA KEV status: Not Applicable (as of the provided date).
Monitor GraphQL request logs for suspicious asset upload attempts, especially those targeting internal hostnames or IP addresses.
Analyze network traffic for outbound connections from the Craft CMS server to internal network resources, particularly those initiated by the CMS process.
Review Craft CMS configuration for misconfigured GraphQL schema permissions, especially those granting write access to the Public Schema.
Implement network-level intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and block suspicious outbound traffic patterns.
Monitor server logs for unusual DNS queries, particularly those resolving internal hostnames or IP addresses.
Upgrade to Craft CMS version 4.16.19 or 5.8.23 or later to patch the vulnerability.
Review and restrict GraphQL schema permissions to only the necessary roles and users. Ensure the Public Schema does not have write permissions.
Implement a robust input validation mechanism for all user-supplied data, including asset source URLs.
Implement a more comprehensive SSRF protection mechanism that correctly handles IPv6 addresses and uses a more secure DNS resolution method.
Regularly update and patch all software components, including Craft CMS and any related plugins or dependencies.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Consider using a Content Delivery Network (CDN) to mitigate the impact of SSRF attacks.