CVE-2025-68437Server-Side Request Forgery in Craft CMS

CWE-918Server-Side Request ForgeryCWE-367Time-of-check Time-of-use (TOCTOU) Race Condition13 documents5 sources
Severity
7.0HIGHNVD
NVD5.7NVD5.0CNA5.0GHSA5.0OSV5.0
EPSS
0.0%
top 95.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedJan 5
Latest updateFeb 24

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save__Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `u

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/cms5.0.0-RC15.8.21+3
NVDcraftcms/craft_cms3.5.14.16.19+6
CVEListV5craftcms/cms4 versions+3

Patches

Patch: github.com

🔴Vulnerability Details

9
CVEList
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding2026-02-24
GHSA
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution2026-02-24
CVEList
Cloud Metadata SSRF Protection Bypass via IPv6 Resolution2026-02-24
OSV
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution2026-02-24
OSV
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding2026-02-23

🕵️Threat Intelligence

1
Wiz
CVE-2025-68437 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-68437 — Server-Side Request Forgery | cvebase