CVE-2026-25493
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS where attackers can bypass SSRF protections by exploiting HTTP redirects. The vulnerability affects Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. Attackers can use this to access internal network resources, including cloud metadata endpoints.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Attackers access sensitive internal systems, cloud metadata services, or pivot to internal network exploitation leading to data breaches or system compromise.
Likely Case
Attackers access internal services, cloud metadata, or perform reconnaissance on internal network resources.
If Mitigated
Limited impact due to network segmentation, proper firewall rules, and restricted internal service access.
🎯 Exploit Status
Exploitation requires an attacker to control a server that can host HTTP redirects, but the vulnerability itself is straightforward to exploit once that condition is met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.16.18 and 5.8.22
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx
Restart Required: Yes
Instructions:
1. Update Craft CMS to version 4.16.18 or 5.8.22 or later. 2. Apply the update via Composer: 'composer update craftcms/cms'. 3. Clear caches and restart the web server.
🔧 Temporary Workarounds
Disable HTTP redirects in Guzzle
allConfigure Guzzle HTTP client to not follow redirects globally in the application.
Modify Guzzle configuration to set 'allow_redirects' => false
Restrict GraphQL access
allLimit access to GraphQL endpoints, particularly the saveAsset mutation, to trusted users only.
Implement authentication and authorization controls for GraphQL API
🧯 If You Can't Patch
- Implement network segmentation to restrict outbound HTTP requests from the Craft CMS server.
- Deploy a web application firewall (WAF) with SSRF protection rules to block malicious requests.
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version via admin panel or by examining composer.lock file for craftcms/cms version.Check Version:
php craft --versionVerify Fix Applied:
Confirm version is 4.16.18+ or 5.8.22+ and test that HTTP redirects to internal IPs are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to internal IP addresses from Craft CMS server
- GraphQL saveAsset mutation requests with suspicious URLs
Network Indicators:
- Outbound HTTP requests from Craft CMS server to cloud metadata endpoints (e.g., 169.254.169.254)
- HTTP redirect chains involving internal IPs
SIEM Query:
source="craft_logs" AND (url="*169.254.169.254*" OR url="*metadata*" OR url="*internal*" OR url="*localhost*")