CVE-2025-68437

Name of the Vulnerable Software and Affected Versions Craft versions 5.0.0-RC1 through 5.8.20 Craft versions 4.0.0-RC1 through 4.16.16

Description Craft is a platform for creating digital experiences. The GraphQL save <VolumeName> Asset mutation is susceptible to Server-Side Request Forgery (SSRF). The issue stems from insufficient validation of the url parameter within the file input, allowing the server to retrieve content from arbitrary remote locations. Attackers can leverage this by supplying internal IP addresses or cloud metadata endpoints as the url, causing the server to make requests to restricted services. The retrieved content is then saved as an asset, potentially leading to data exposure and infrastructure compromise. Exploitation requires specific GraphQL permissions for asset management within the targeted volume. The vulnerable parameter is url.

Recommendations Update to Craft version 5.8.21. Update to Craft version 4.16.17.