DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25494: Craft CMS: The Art of Hexing Your Way to AWS Metadata

#security #cve #cybersecurity

Craft CMS: The Art of Hexing Your Way to AWS Metadata

Vulnerability ID: CVE-2026-25494
CVSS Score: 6.9
Published: 2026-02-09

A high-severity Server-Side Request Forgery (SSRF) vulnerability in Craft CMS allows attackers to bypass IP blocklists using alternative IP notations (hexadecimal). By abusing the discrepancy between PHP's validation logic and the underlying system's DNS resolver, attackers can trick the application into fetching sensitive internal resources—most notably cloud instance metadata—via the GraphQL API.

TL;DR

Craft CMS's GraphQL saveAsset mutation tries to block internal IPs using filter_var, which doesn't understand Hex/Octal IPs. Linux/cURL does. Attackers can request http://0xa9fea9fe to hit 169.254.169.254, bypassing the check and stealing cloud credentials.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS v4.0: 6.9
  • Impact: Confidentiality (High - Cloud Credential Theft)
  • Exploit Status: PoC Available
  • Protocol: GraphQL / HTTP

Affected Systems

  • Craft CMS 4.x (< 4.16.18)
  • Craft CMS 5.x (< 5.8.22)
  • Craft CMS: >= 4.0.0-RC1, < 4.16.18 (Fixed in: 4.16.18)
  • Craft CMS: >= 5.0.0-RC1, < 5.8.22 (Fixed in: 5.8.22)

Code Analysis

Commit: d49e93e

Fixed validation logic to normalize hex strings before IP check

+ $hostname = Collection::make(explode('.', $hostname))...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: GraphQL mutation utilizing hex-encoded IP address to access internal metadata.

Mitigation Strategies

  • Input Normalization
  • Network Segmentation
  • Defense in Depth

Remediation Steps:

  1. Upgrade Craft CMS to version 4.16.18 or 5.8.22 immediately.
  2. Enforce IMDSv2 on all cloud instances (AWS) to prevent credential theft via SSRF.
  3. Configure firewall rules to block outbound connections from the CMS to internal IP ranges (RFC1918) and link-local addresses (169.254.0.0/16).
  4. Disable the saveAsset GraphQL mutation if not required by business logic.

References

Read the full report for CVE-2026-25494 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)