CVE-2025-68437

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68437
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68437.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68437
Aliases
Published
2026-01-05T21:52:29.436Z
Modified
2026-03-01T02:56:41.195163Z
Severity
  • 5.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
Details

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL save_<VolumeName>_Asset mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the _file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the url, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68437.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Introduced
04755d93f86d07cc183db47db8a0eee106892e30
Fixed
8582f04f8346c6cf285a18d9704c4a2d9371e9bf
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.8.21"
        }
    ]
}
Type
GIT
Repo
https://github.com/craftcms/cms
Events
Introduced
daac7c1da2f701f2e9ddee1da1457ce61660b581
Fixed
b5f17cd3246cf10034a914464964757b0b84bcd3
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.16.17"
        }
    ]
}

Affected versions

3.*
3.7.33
3.7.39
3.7.40
3.7.40.1
3.7.41
3.7.42
3.7.43
3.7.44
3.7.45
3.7.45.1
3.7.45.2
3.7.46
3.7.47
3.7.47.1
3.7.48
3.7.49
3.7.50
3.7.51
3.7.52
3.7.53
3.7.53.1
3.7.54
3.7.55
3.7.55.1
3.7.55.2
3.7.55.3
3.7.56
3.7.57
3.7.58
3.7.59
3.7.60
3.7.61
3.7.62
3.7.63
3.7.63.1
3.7.64
3.7.64.1
3.7.65
3.7.65.1
3.7.65.2
3.7.66
3.7.67
3.7.68
3.8.0
3.8.0-beta.1
3.8.0-beta.2
3.8.0-beta.3
3.8.0-beta.4
3.8.0-beta.5
3.8.0-beta.6
3.8.1
3.8.10
3.8.10.1
3.8.10.2
3.8.11
3.8.12
3.8.13
3.8.14
3.8.15
3.8.16
3.8.17
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.8.8
3.8.9
3.9.0
3.9.1
3.9.10
3.9.11
3.9.12
3.9.13
3.9.14
3.9.15
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
4.*
4.0.0
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.10.0
4.10.0-beta.1
4.10.0-beta.2
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.11.0
4.11.0.1
4.11.0.2
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.4.1
4.12.5
4.12.6
4.12.6.1
4.12.7
4.12.8
4.12.9
4.13.0
4.13.1
4.13.1.1
4.13.10
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.14.0
4.14.0.1
4.14.0.2
4.14.1
4.14.10
4.14.11
4.14.11.1
4.14.12
4.14.13
4.14.14
4.14.15
4.14.2
4.14.3
4.14.4
4.14.5
4.14.6
4.14.7
4.14.8
4.14.8.1
4.14.9
4.15.0
4.15.0-beta.1
4.15.0-beta.2
4.15.0.1
4.15.0.2
4.15.1
4.15.2
4.15.3
4.15.4
4.15.5
4.15.6
4.15.6.1
4.15.6.2
4.15.7
4.16.0
4.16.1
4.16.10
4.16.11
4.16.12
4.16.13
4.16.14
4.16.15
4.16.16
4.16.17
4.16.2
4.16.3
4.16.4
4.16.5
4.16.6
4.16.6.1
4.16.7
4.16.8
4.16.9
4.16.9.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.10
4.3.11
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.4.0
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.1
4.4.10
4.4.10.1
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.16.1
4.4.17
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.6.1
4.4.7
4.4.7.1
4.4.8
4.4.9
4.5.0
4.5.0-beta.1
4.5.0-beta.2
4.5.1
4.5.10
4.5.11
4.5.11.1
4.5.12
4.5.13
4.5.14
4.5.15
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.6.1
4.5.7
4.5.8
4.5.9
4.6.0
4.6.0-RC1
4.6.1
4.7.0
4.7.1
4.7.2
4.7.2.1
4.7.3
4.7.4
4.8.0
4.8.1
4.8.10
4.8.11
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
5.*
5.0.0
5.0.0-RC1
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.1.0
5.1.1
5.1.10
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.2.0
5.2.0-beta.1
5.2.0-beta.2
5.2.0-beta.3
5.2.0-beta.4
5.2.0-beta.5
5.2.0-beta.6
5.2.1
5.2.10
5.2.2
5.2.3
5.2.4
5.2.4.1
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.3.0
5.3.0-beta.1
5.3.0-beta.2
5.3.0.1
5.3.0.2
5.3.0.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.4.0
5.4.0.1
5.4.1
5.4.10
5.4.10.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.5.0
5.5.0.1
5.5.1
5.5.1.1
5.5.10
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.6.1
5.5.7
5.5.8
5.5.9
5.6.0
5.6.0.1
5.6.0.2
5.6.1
5.6.10
5.6.10.1
5.6.10.2
5.6.11
5.6.12
5.6.13
5.6.14
5.6.15
5.6.16
5.6.17
5.6.2
5.6.3
5.6.4
5.6.5
5.6.5.1
5.6.6
5.6.7
5.6.8
5.6.9
5.6.9.1
5.7.0
5.7.0-beta.1
5.7.0-beta.2
5.7.1
5.7.1.1
5.7.10
5.7.11
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.8.1
5.7.8.2
5.7.9
5.8.0
5.8.1
5.8.10
5.8.11
5.8.12
5.8.13
5.8.13.1
5.8.13.2
5.8.14
5.8.15
5.8.16
5.8.17
5.8.18
5.8.19
5.8.2
5.8.20
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68437.json"