AIKIDO-2025-10914
craftcms/cms is vulnerable to Server-Side Request Forgery (SSRF)
55
Medium Risk
This Affects:
craftcms/cmsTL;DR
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs in file handling code; the old code would accept any URL and attempt to fetch it, allowing an attacker to specify internal, loopback, or cloud metadata service addresses, but the patch mitigates this by validating that the hostname is a valid alphanumeric domain and not an IP address, thereby blocking attempts to exploit the server's trust relationship to probe internal networks or access sensitive data.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
craftcms/cms is vulnerable to Server-Side Request Forgery (SSRF) in versions 5.0.0 - 5.8.20 and 4.0.0 - 4.16.16.
How to fix this
Upgrade the craftcms/cms library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant