CVE-2026-25494
📋 TL;DR
This vulnerability allows attackers to bypass IP address blocklists in Craft CMS by using alternative IP notations (hexadecimal, mixed) that aren't recognized by PHP's filter_var() function. This enables access to cloud metadata services that should be blocked. Affects Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Attackers access cloud metadata services to obtain sensitive credentials, API keys, or infrastructure information, leading to cloud account compromise and lateral movement.
Likely Case
Attackers bypass IP restrictions to access internal metadata endpoints, potentially exposing configuration data and limited system information.
If Mitigated
Minimal impact if cloud metadata services are properly secured with additional layers of protection beyond IP filtering.
🎯 Exploit Status
Exploitation requires access to the GraphQL endpoint and knowledge of alternative IP notations. The vulnerability is straightforward to exploit once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.16.18 and 5.8.22
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m
Restart Required: No
Instructions:
1. Update Craft CMS to version 4.16.18 or 5.8.22
2. No database migrations or configuration changes required
3. Verify the patch is applied by checking the version
🔧 Temporary Workarounds
Disable saveAsset GraphQL mutation
allTemporarily disable the vulnerable GraphQL mutation if not required
Modify GraphQL configuration to remove saveAsset mutation
Implement network-level restrictions
allBlock access to cloud metadata endpoints at firewall/network level
Configure firewall rules to block 169.254.169.254 and other cloud metadata IPs
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block alternative IP notation patterns
- Restrict GraphQL endpoint access to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version via admin panel or composer.json. If version is between 4.0.0-RC1-4.16.17 or 5.0.0-RC1-5.8.21, system is vulnerable.Check Version:
php craft --versionVerify Fix Applied:
Verify version is 4.16.18+ or 5.8.22+ and test IP blocklist functionality with alternative IP notations.📡 Detection & Monitoring
Log Indicators:
- GraphQL queries to saveAsset mutation with unusual IP formats
- Access attempts to cloud metadata endpoints from application server
Network Indicators:
- Outbound connections from application to cloud metadata IPs (169.254.169.254, etc.)
SIEM Query:
source="craft-logs" AND ("saveAsset" OR "GraphQL") AND (ip="0xA9FEA9FE" OR ip="169.254.169.254")