5

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68437

CVE-2025-68437: Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL save_<VolumeName>_Asset mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the _file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the url, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68437

CVE-2025-68437:

5

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
craftcms/cms	composer	>= 5.0.0-RC1, <= 5.8.20	5.8.21
craftcms/cms	composer	>= 3.5.0, <= 4.16.16	4.16.17

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly indicates an SSRF vulnerability in the GraphQL save_<VolumeName>_Asset mutation due to improper validation of a URL provided for asset uploads. The provided commit 013db636fdb38f3ce5657fd196b6d952f98ebc52 directly addresses this issue. The patch modifies the src/gql/resolvers/mutations/Asset.php file, specifically within the handleUpload method. Before the patch, this method would take a URL from the user input and use it to fetch a file, without checking if the URL pointed to an internal or restricted resource. The patch introduces validation to ensure the URL's hostname is a valid domain and not an IP address, thus preventing the SSRF attack. Therefore, the craft\gql\resolvers\mutations\Asset::handleUpload function is the precise location of the vulnerability and would be present in a runtime profile during exploitation.

Vulnerable functions

craft\gql\resolvers\mutations\Asset::handleUpload

src/gql/resolvers/mutations/Asset.php

The `handleUpload` function is vulnerable to Server-Side Request Forgery (SSRF). It processes a `url` provided in the `_file` argument of a GraphQL mutation without properly validating the hostname. An attacker could provide an internal IP address or a cloud metadata endpoint as the URL, causing the server to make a request to that internal service. The patch mitigates this by adding a check to ensure the hostname is a valid domain and not an IP address.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68437: Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

CVE-2025-68437:

5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

5

5

CVE-2025-68437: Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI