GHSA-gp2f-7wcm-5fhx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gp2f-7wcm-5fhx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gp2f-7wcm-5fhx/GHSA-gp2f-7wcm-5fhx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gp2f-7wcm-5fhx
- Aliases
- Related
- Published
- 2026-02-23T22:16:01Z
- Modified
- 2026-02-24T20:59:17.697105Z
- Severity
-
- 7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
- Details
-
Summary
The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.
This is a bypass of the security fix for CVE-2025-68437 (GHSA-x27p-wfqw-hfcc) that allows access to all blocked IPs, not just IPv6 endpoints.
Severity
Bypass of cloud metadata SSRF protection for all blocked IPs
Required Permissions
Exploitation requires GraphQL schema permissions for: - Edit assets in the
<VolumeName>volume - Create assets in the<VolumeName>volumeThese permissions may be granted to: - Authenticated users with appropriate GraphQL schema access - Public Schema (if misconfigured with write permissions)
Technical Details
Vulnerable Code Flow
The code at
src/gql/resolvers/mutations/Asset.phpperforms two separate DNS lookups:// VALIDATION PHASE: First DNS resolution at time T1 private function validateHostname(string $url): bool { $hostname = parse_url($url, PHP_URL_HOST); $ip = gethostbyname($hostname); // DNS Lookup #1 - Returns safe IP if (in_array($ip, [ '169.254.169.254', // AWS, GCP, Azure IMDS '169.254.170.2', // AWS ECS metadata '100.100.100.200', // Alibaba Cloud '192.0.0.192', // Oracle Cloud ])) { return false; // Check passes - IP looks safe } return true; } // ... time gap between validation and request ... // REQUEST PHASE: Second DNS resolution at time T2 (inside Guzzle) $response = $client->get($url); // DNS Lookup #2 - Guzzle resolves DNS AGAIN // Now returns 169.254.169.254!Root Cause
Two separate DNS lookups occur: 1. Validation:
gethostbyname()invalidateHostname()2. Request: Guzzle's internal DNS resolution via libcurlAn attacker controlling a DNS server can return different IPs for each query.
Bypass Mechanism
+-----------------------------------------------------------------------------+ | Attacker's DNS Server: evil.attacker.com | +-----------------------------------------------------------------------------+ | Query 1 (Validation - T1): | | Request: A record for evil.attacker.com | | Response: 1.2.3.4 (safe IP, TTL: 0) | | Result: Validation PASSES | +-----------------------------------------------------------------------------+ | Query 2 (Guzzle Request - T2): | | Request: A record for evil.attacker.com | | Response: 169.254.169.254 (metadata IP, TTL: 0) | | Result: Request goes to blocked IP -> CREDENTIALS STOLEN | +-----------------------------------------------------------------------------+
Target Endpoints via DNS Rebinding
DNS rebinding allows access to all blocked IPs:
| Target | Rebind To | Impact | |--------|-----------|--------| | AWS IMDS |
169.254.169.254| IAM credentials, instance identity | | AWS ECS |169.254.170.2| Container credentials | | GCP Metadata |169.254.169.254| Service account tokens | | Azure Metadata |169.254.169.254| Managed identity tokens | | Alibaba Cloud |100.100.100.200| Instance credentials | | Oracle Cloud |192.0.0.192| Instance metadata | | Internal Services |127.0.0.1,10.x.x.x| Internal APIs, databases |
Attack Scenario
- Attacker sets up DNS server with alternating responses
- Attacker sends mutation with
url: "http://evil.attacker.com/latest/meta-data/" - First DNS query returns safe IP (e.g.,
1.2.3.4) → validation passes - Second DNS query returns metadata IP (
169.254.169.254) → request to metadata - Attacker retrieves credentials from ANY cloud provider
- Attacker can now achieve code execution by creating new instances with their SSH key
Remediation
Fix: DNS Pinning with CURLOPT_RESOLVE
Pin the DNS resolution - use the same resolved IP for both validation and request:
private function validateHostname(string $url): bool { $hostname = parse_url($url, PHP_URL_HOST); // Resolve once $ip = gethostbyname($hostname); // Validate the resolved IP if (in_array($ip, [ '169.254.169.254', '169.254.170.2', '100.100.100.200', '192.0.0.192', ])) { return false; } // Store for later use $this->pinnedDNS[$hostname] = $ip; return true; } // When making the request - CRITICAL: Use pinned IP protected function makeRequest(string $url): ResponseInterface { $hostname = parse_url($url, PHP_URL_HOST); $ip = $this->pinnedDNS[$hostname] ?? null; $options = []; if ($ip) { // Force Guzzle/curl to use the SAME IP we validated $options['curl'] = [ CURLOPT_RESOLVE => [ "$hostname:80:$ip", "$hostname:443:$ip" ] ]; } return $this->client->get($url, $options); }Alternative: Single Resolution with Immediate Use
// Resolve to IP and use IP directly in URL $ip = gethostbyname($hostname); if (in_array($ip, $blockedIPs)) { return false; } // Make request directly to IP with Host header $client->get("http://$ip" . parse_url($url, PHP_URL_PATH), [ 'headers' => [ 'Host' => $hostname ] ]);Additional Mitigations
| Mitigation | Description | |------------|-------------| | DNS Pinning (CURLOPT_RESOLVE) | Force same IP for validation and request | | Single IP-based request | Use resolved IP directly in URL | | Implement IMDSv2 | Requires token header (infrastructure-level) | | Network egress filtering | Block metadata IPs at network level |
Resources
- https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575
- GHSA-x27p-wfqw-hfcc - Original SSRF vulnerability (CVE-2025-68437)
- DNSrebinder - Lightweight Python DNS server for testing DNS rebinding vulnerabilities; responds with legitimate IP for first N queries, then rebinds to target IP
- Singularity DNS Rebinding Tool
- rbndr DNS Rebinding Service
- DNS Rebinding Attacks Explained
- CURLOPT_RESOLVE Documentation
- OWASP SSRF Prevention Cheat Sheet
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2026-02-23T22:16:01Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-367" ] }- References
-
- https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx
- https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
- https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575
- https://curl.se/libcurl/c/CURLOPT_RESOLVE.html
- https://github.com/craftcms/cms
- https://github.com/mogwailabs/DNSrebinder
- https://github.com/nccgroup/singularity
- https://github.com/taviso/rbndr
- https://unit42.paloaltonetworks.com/dns-rebinding
Affected packages
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
5.*
5.0.0-RC1
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.2.0-beta.1
5.2.0-beta.2
5.2.0-beta.3
5.2.0-beta.4
5.2.0-beta.5
5.2.0-beta.6
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.4.1
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.3.0-beta.1
5.3.0-beta.2
5.3.0
5.3.0.1
5.3.0.2
5.3.0.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.4.0
5.4.0.1
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.4.10
5.4.10.1
5.5.0
5.5.0.1
5.5.1
5.5.1.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.6.1
5.5.7
5.5.8
5.5.9
5.5.10
5.6.0
5.6.0.1
5.6.0.2
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.5.1
5.6.6
5.6.7
5.6.8
5.6.9
5.6.9.1
5.6.10
5.6.10.1
5.6.10.2
5.6.11
5.6.12
5.6.13
5.6.14
5.6.15
5.6.16
5.6.17
5.7.0-beta.1
5.7.0-beta.2
5.7.0
5.7.1
5.7.1.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.8.1
5.7.8.2
5.7.9
5.7.10
5.7.11
5.8.0
5.8.1
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9
5.8.10
5.8.11
5.8.12
5.8.13
5.8.13.1
5.8.13.2
5.8.14
5.8.15
5.8.16
5.8.17
5.8.18
5.8.19
5.8.20
5.8.21
5.8.22
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
3.*
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.10.1
3.5.11
3.5.11.1
3.5.12
3.5.12.1
3.5.13
3.5.13.1
3.5.13.2
3.5.14
3.5.15
3.5.15.1
3.5.16
3.5.17
3.5.17.1
3.5.18
3.5.19
3.5.19.1
3.6.0-beta.1
3.6.0-beta.1.1
3.6.0-beta.2
3.6.0-RC1
3.6.0-RC2
3.6.0-RC2.1
3.6.0-RC3
3.6.0-RC4
3.6.0
3.6.0.1
3.6.1
3.6.2
3.6.3
3.6.4
3.6.4.1
3.6.5
3.6.5.1
3.6.6
3.6.7
3.6.8
3.6.9
3.6.10
3.6.11
3.6.11.1
3.6.11.2
3.6.12
3.6.12.1
3.6.13
3.6.14
3.6.15
3.6.16
3.6.17
3.6.18
3.7.0-beta.1
3.7.0-beta.2
3.7.0-beta.3
3.7.0-beta.4
3.7.0-beta.5
3.7.0-beta.6
3.7.0
3.7.1
3.7.2
3.7.3
3.7.3.1
3.7.3.2
3.7.4
3.7.5
3.7.6
3.7.7
3.7.8
3.7.9
3.7.10
3.7.11
3.7.12
3.7.13
3.7.14
3.7.15
3.7.16
3.7.17
3.7.17.1
3.7.17.2
3.7.18
3.7.18.1
3.7.18.2
3.7.19
3.7.19.1
3.7.20
3.7.21
3.7.22
3.7.23
3.7.24
3.7.25
3.7.25.1
3.7.26
3.7.27
3.7.27.1
3.7.27.2
3.7.28
3.7.29
3.7.30
3.7.30.1
3.7.31
3.7.32
3.7.33
3.7.34
3.7.35
3.7.36
3.7.37
3.7.38
3.7.39
3.7.40
3.7.40.1
3.7.41
3.7.42
3.7.43
3.7.44
3.7.45
3.7.45.1
3.7.45.2
3.7.46
3.7.47
3.7.47.1
3.7.48
3.7.49
3.7.50
3.7.51
3.7.52
3.7.53
3.7.53.1
3.7.54
3.7.55
3.7.55.1
3.7.55.2
3.7.55.3
3.7.56
3.7.57
3.7.58
3.7.59
3.7.60
3.7.61
3.7.62
3.7.63
3.7.63.1
3.7.64
3.7.64.1
3.7.65
3.7.65.1
3.7.65.2
3.7.66
3.7.67
3.7.68
3.8.0-beta.1
3.8.0-beta.2
3.8.0-beta.3
3.8.0-beta.4
3.8.0-beta.5
3.8.0-beta.6
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.8.8
3.8.9
3.8.10
3.8.10.1
3.8.10.2
3.8.11
3.8.12
3.8.13
3.8.14
3.8.15
3.8.16
3.8.17
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
3.9.10
3.9.11
3.9.12
3.9.13
3.9.14
3.9.15
4.*
4.0.0-alpha.1
4.0.0-beta.1
4.0.0-beta.2
4.0.0-beta.3
4.0.0-beta.4
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.3.10
4.3.11
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.6.1
4.4.7
4.4.7.1
4.4.8
4.4.9
4.4.10
4.4.10.1
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.16.1
4.4.17
4.5.0-beta.1
4.5.0-beta.2
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.6.1
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.11.1
4.5.12
4.5.13
4.5.14
4.5.15
4.6.0-RC1
4.6.0
4.6.1
4.7.0
4.7.1
4.7.2
4.7.2.1
4.7.3
4.7.4
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
4.8.10
4.8.11
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
4.10.0-beta.1
4.10.0-beta.2
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.11.0
4.11.0.1
4.11.0.2
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.4.1
4.12.5
4.12.6
4.12.6.1
4.12.7
4.12.8
4.12.9
4.13.0
4.13.1
4.13.1.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.14.0
4.14.0.1
4.14.0.2
4.14.1
4.14.2
4.14.3
4.14.4
4.14.5
4.14.6
4.14.7
4.14.8
4.14.8.1
4.14.9
4.14.10
4.14.11
4.14.11.1
4.14.12
4.14.13
4.14.14
4.14.15
4.15.0-beta.1
4.15.0-beta.2
4.15.0
4.15.0.1
4.15.0.2
4.15.1
4.15.2
4.15.3
4.15.4
4.15.5
4.15.6
4.15.6.1
4.15.6.2
4.15.7
4.16.0
4.16.1
4.16.2
4.16.3
4.16.4
4.16.5
4.16.6
4.16.6.1
4.16.7
4.16.8
4.16.9
4.16.9.1
4.16.10
4.16.11
4.16.12
4.16.13
4.16.14
4.16.15
4.16.16
4.16.17
4.16.18