AIKIDO-2026-10338
craftcms/cms is vulnerable to Server-Side Request Forgery (SSRF)
54
Medium Risk
This Affects:
craftcms/cmsTL;DR
Affected versions have two SSRF vectors. In the GraphQL asset mutation (saveAsset), only the hostname of the supplied URL was validated; schemes such as gopher, file, or ftp were not restricted, so an attacker could bypass host-based checks and trigger requests to internal resources. Separately, the control panel resource-JS endpoint (actionResourceJs) accepted a URL, asserted it started with the asset manager base URL, then used Guzzle to fetch that URL and return the response body, so the server could be induced to request arbitrary URLs (e.g. cloud metadata or internal services). The patch adds scheme validation in the GraphQL mutation (only http and https allowed) and changes the resource-JS endpoint to resolve the resource by URI to a local path via App::resourcePathByUri() and serve the file from disk with sendFile(), with no outbound fetch.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
craftcms/cms is vulnerable to Server-Side Request Forgery (SSRF) in versions 4.0.0 - 4.17.8 and 5.0.0 - 5.9.14.
How to fix this
Upgrade the craftcms/cms library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant