CVE-2026-25493: Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
The saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses.
References
- github.com/advisories/GHSA-8jr8-7hr4-vhfx
- github.com/craftcms/cms
- github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98
- github.com/craftcms/cms/releases/tag/4.16.18
- github.com/craftcms/cms/releases/tag/5.8.22
- github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx
- nvd.nist.gov/vuln/detail/CVE-2026-25493
Code Behaviors & Features
Detect and mitigate CVE-2026-25493 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →