PT-2026-7144 · Craft · Craft
Mhe4Am
·
Published
2026-02-09
·
Updated
2026-02-11
·
CVE-2026-25494
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Craft versions 4.0.0-RC1 through 4.16.17
Craft versions 5.0.0-RC1 through 5.8.21
Description
The
saveAsset GraphQL mutation in Craft does not properly validate IP addresses used to access cloud metadata services. The application uses filter var(..., FILTER VALIDATE IP) to block a list of IP addresses, but this function does not recognize alternative IP notations like hexadecimal or mixed formats. This allows attackers to bypass the blocklist and potentially access cloud metadata. The vulnerable component is the saveAsset mutation. The vulnerable parameter is the IP address used in the request.Recommendations
Update to Craft version 4.16.18 or later.
Update to Craft version 5.8.22 or later.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft