CVE-2025-68437
📋 TL;DR
This SSRF vulnerability in Craft CMS allows attackers with GraphQL asset management permissions to force the server to fetch content from arbitrary internal or cloud metadata endpoints. The fetched content is saved as an asset and can be exfiltrated, potentially exposing sensitive internal data. Affected users are those running vulnerable Craft CMS versions with GraphQL enabled and asset management permissions granted.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal infrastructure through cloud metadata access, exposure of sensitive internal services, and potential lateral movement within the network.
Likely Case
Exfiltration of internal service data, cloud metadata exposure, and potential access to restricted internal endpoints.
If Mitigated
Limited impact due to proper network segmentation, egress filtering, and minimal GraphQL permissions.
🎯 Exploit Status
Exploitation requires authenticated access with specific GraphQL permissions for asset management.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.21 and 4.16.17
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
Restart Required: Yes
Instructions:
1. Backup your Craft CMS installation and database. 2. Update via Composer: 'composer require craftcms/cms:^5.8.21' or 'composer require craftcms/cms:^4.16.17'. 3. Clear caches and restart your web server. 4. Verify the update in the Craft control panel.
🔧 Temporary Workarounds
Restrict GraphQL Asset Permissions
allTemporarily remove or restrict GraphQL permissions for asset management until patching is complete.
Navigate to Settings → Users → Permissions in Craft control panel and adjust GraphQL permissions
Network Egress Filtering
allImplement egress filtering to block outbound requests from the web server to internal IP ranges and cloud metadata endpoints.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Craft CMS server from internal services
- Apply WAF rules to block GraphQL mutations containing suspicious URL patterns
🔍 How to Verify
Check if Vulnerable:
Check your Craft CMS version in the control panel (Settings → System) or via 'composer show craftcms/cms' command.Check Version:
composer show craftcms/cms | grep versionVerify Fix Applied:
Confirm version is 5.8.21+ or 4.16.17+ and test that GraphQL mutations with internal URLs are rejected.📡 Detection & Monitoring
Log Indicators:
- GraphQL mutation logs for 'save_*_Asset' with unusual URL patterns
- Outbound HTTP requests from web server to internal IP ranges
Network Indicators:
- HTTP requests from web server to 169.254.169.254 (AWS metadata), 100.100.100.200 (Aliyun), or internal RFC1918 addresses
SIEM Query:
source="web_server_logs" AND (url CONTAINS "save_" AND url CONTAINS "_Asset") AND (url CONTAINS "169.254.169.254" OR url CONTAINS "10." OR url CONTAINS "172.16." OR url CONTAINS "192.168.")