CVE-2026-25493 is a Server-Side Request Forgery (SSRF) vulnerability identified in Craft CMS, a popular content management system used for building digital experiences. The vulnerability affects Craft CMS versions from 4.0.0-RC1 up to 4.16.17 and 5.0.0-RC1 up to 5.8.21. The root cause lies in the saveAsset GraphQL mutation, which attempts to prevent SSRF attacks by validating the hostname and resolved IP address of URLs against a blocklist. However, the HTTP client library used by Craft CMS, Guzzle, follows HTTP redirects by default. This behavior allows an attacker to bypass the hostname and IP validation by providing a URL that redirects to internal IP addresses or cloud metadata service endpoints, which are typically protected from direct external access. By exploiting this redirect mechanism, an attacker can coerce the server to make unauthorized requests to internal resources, potentially exposing sensitive information such as cloud instance metadata, internal APIs, or other protected services. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with a network attack vector, low complexity, and no privileges required. The impact primarily affects confidentiality and integrity to a limited extent, with no direct availability impact. The issue was patched in Craft CMS versions 4.16.18 and 5.8.22 by presumably fixing the redirect handling or enhancing validation to prevent SSRF via redirects. No known exploits have been reported in the wild as of the publication date. Organizations running vulnerable versions of Craft CMS should prioritize upgrading to the fixed versions to eliminate this SSRF risk.

For European organizations, this SSRF vulnerability poses a risk of unauthorized internal network access and exposure of sensitive internal resources, such as cloud metadata endpoints or internal APIs. Attackers exploiting this flaw could gather confidential information about the infrastructure, credentials, or configuration data, which could facilitate further attacks like privilege escalation or lateral movement. Organizations using Craft CMS in cloud environments (e.g., AWS, Azure, GCP) are particularly at risk because cloud metadata services often contain sensitive data like instance credentials and configuration. This could lead to data breaches, compliance violations (e.g., GDPR), and reputational damage. The vulnerability's exploitation does not require authentication or user interaction, increasing the likelihood of automated attacks. However, the impact is somewhat limited by the need for the target to be running a vulnerable Craft CMS version and the attacker’s ability to control or induce redirects. Overall, the threat is significant for organizations relying on Craft CMS for public-facing or internal digital experiences, especially those with sensitive internal network segments or cloud infrastructure.

1. Upgrade Craft CMS to version 4.16.18 or later, or 5.8.22 or later, which contain patches addressing this SSRF vulnerability. 2. If immediate upgrade is not feasible, implement network-level controls to restrict outbound HTTP requests from the Craft CMS server to internal IP ranges and cloud metadata IP addresses (e.g., 169.254.169.254 for AWS). 3. Review and harden GraphQL endpoint access controls to limit exposure to trusted users or IP addresses. 4. Monitor logs for unusual outbound HTTP requests or redirects originating from the Craft CMS server. 5. Employ web application firewalls (WAFs) with rules to detect and block SSRF patterns or suspicious redirect chains. 6. Conduct internal penetration testing focusing on SSRF vectors to identify similar weaknesses. 7. Educate developers and administrators about SSRF risks and secure coding practices related to URL validation and HTTP client usage. These steps go beyond generic advice by combining patching with network segmentation, monitoring, and access control enhancements tailored to the specific vulnerability mechanism.