Server-Side Request Forgery Vulnerability in Craft CMS by Craft
CVE-2025-68437

5MEDIUM

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
5 January 2026

What is CVE-2025-68437?

Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are susceptible to a Server-Side Request Forgery (SSRF) flaw within the GraphQL save_<VolumeName>_Asset mutation. The vulnerability is due to insecure handling of the _file input's url parameter, which allows an attacker to exploit the server's ability to fetch remote content. By specifying internal IP addresses or cloud metadata endpoints, a malicious actor can manipulate the server into accessing sensitive resources, resulting in potential data loss and infrastructure vulnerabilities. Users are strongly advised to upgrade to versions 5.8.21 and 4.16.17 to address this issue.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.8.21 < 5.0.0-RC1, 5.8.21

cms >= 4.0.0-RC1, < 4.16.17 < 4.0.0-RC1, 4.16.17

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/013db636fdb38f3ce5...
x_refsource_MISC
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#582...
x_refsource_MISC

CVSS V4

Score:
5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-68437 : Server-Side Request Forgery Vulnerability in Craft CMS by Craft