PT-2026-7143 · Craft · Craft
Mhe4Am
·
Published
2026-02-09
·
Updated
2026-02-11
·
CVE-2026-25493
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Craft versions 4.0.0-RC1 through 4.16.17
Craft versions 5.0.0-RC1 through 5.8.21
Description
The
saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. This allows an attacker to bypass Server-Side Request Forgery (SSRF) protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. The application validates the initial URL, but Guzzle's redirect behavior circumvents this validation. The mutation uses the /saveAsset GraphQL endpoint with the url parameter. The url parameter is used to specify the location of the asset to be saved.Recommendations
Craft versions prior to 4.16.18 are affected.
Craft versions prior to 5.8.22 are affected.
Disable redirects.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft