CVE-2025-68437: Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_...

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.

Metrics

CVSS 3.1

6.8/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CVSS 4.0

5/10

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.43%

34.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-918

Affected Software

Vendor	Product	Versions
Craftcms	Craft Cms	>= 3.5.0, < 4.16.17
Craftcms	Craft Cms	>= 5.0.1, < 5.8.21
Craftcms	Craft Cms	5.0.0

References

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04Product, Release Notes
https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52Patch
https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfccExploit, Vendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfccExploit, Vendor Advisory

Timeline

Published: Jan 5, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-68437?

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.

How severe is CVE-2025-68437?

CVE-2025-68437 has a CVSS score of 5/10 (MEDIUM severity). The EPSS model estimates a 0.43% probability of exploitation in the next 30 days.

How do I fix CVE-2025-68437?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.