Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

説明

Summary

The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.

This is a bypass of the security fix for CVE-2025-68437 (GHSA-x27p-wfqw-hfcc) that allows access to all blocked IPs, not just IPv6 endpoints.

Severity

Bypass of cloud metadata SSRF protection for all blocked IPs

Required Permissions

Exploitation requires GraphQL schema permissions for:
- Edit assets in the <VolumeName> volume
- Create assets in the <VolumeName> volume

These permissions may be granted to:
- Authenticated users with appropriate GraphQL schema access
- Public Schema (if misconfigured with write permissions)


Technical Details

Vulnerable Code Flow

The code at src/gql/resolvers/mutations/Asset.php performs two separate DNS lookups:

// VALIDATION PHASE: First DNS resolution at time T1
private function validateHostname(string $url): bool
{
    $hostname = parse_url($url, PHP_URL_HOST);
    $ip = gethostbyname($hostname);  // DNS Lookup #1 - Returns safe IP

    if (in_array($ip, [
        '169.254.169.254',   // AWS, GCP, Azure IMDS
        '169.254.170.2',     // AWS ECS metadata
        '100.100.100.200',   // Alibaba Cloud
        '192.0.0.192',       // Oracle Cloud
    ])) {
        return false;  // Check passes - IP looks safe
    }
    return true;
}

// ... time gap between validation and request ...

// REQUEST PHASE: Second DNS resolution at time T2 (inside Guzzle)
$response = $client->get($url);  // DNS Lookup #2 - Guzzle resolves DNS AGAIN
                                  // Now returns 169.254.169.254!

Root Cause

Two separate DNS lookups occur:
1. Validation: gethostbyname() in validateHostname()
2. Request: Guzzle's internal DNS resolution via libcurl

An attacker controlling a DNS server can return different IPs for each query.

Bypass Mechanism

+-----------------------------------------------------------------------------+
| Attacker's DNS Server: evil.attacker.com                                    |
+-----------------------------------------------------------------------------+
| Query 1 (Validation - T1):                                                  |
|   Request:  A record for evil.attacker.com                                  |
|   Response: 1.2.3.4 (safe IP, TTL: 0)                                       |
|   Result:   Validation PASSES                                               |
+-----------------------------------------------------------------------------+
| Query 2 (Guzzle Request - T2):                                              |
|   Request:  A record for evil.attacker.com                                  |
|   Response: 169.254.169.254 (metadata IP, TTL: 0)                           |
|   Result:   Request goes to blocked IP -> CREDENTIALS STOLEN                |
+-----------------------------------------------------------------------------+

Target Endpoints via DNS Rebinding

DNS rebinding allows access to all blocked IPs:

Target Rebind To Impact
AWS IMDS 169.254.169.254 IAM credentials, instance identity
AWS ECS 169.254.170.2 Container credentials
GCP Metadata 169.254.169.254 Service account tokens
Azure Metadata 169.254.169.254 Managed identity tokens
Alibaba Cloud 100.100.100.200 Instance credentials
Oracle Cloud 192.0.0.192 Instance metadata
Internal Services 127.0.0.1, 10.x.x.x Internal APIs, databases

Attack Scenario

  1. Attacker sets up DNS server with alternating responses
  2. Attacker sends mutation with url: "http://evil.attacker.com/latest/meta-data/"
  3. First DNS query returns safe IP (e.g., 1.2.3.4) → validation passes
  4. Second DNS query returns metadata IP (169.254.169.254) → request to metadata
  5. Attacker retrieves credentials from ANY cloud provider
  6. Attacker can now achieve code execution by creating new instances with their SSH key

Remediation

Fix: DNS Pinning with CURLOPT_RESOLVE

Pin the DNS resolution - use the same resolved IP for both validation and request:

private function validateHostname(string $url): bool
{
    $hostname = parse_url($url, PHP_URL_HOST);

    // Resolve once
    $ip = gethostbyname($hostname);

    // Validate the resolved IP
    if (in_array($ip, [
        '169.254.169.254', '169.254.170.2',
        '100.100.100.200', '192.0.0.192',
    ])) {
        return false;
    }

    // Store for later use
    $this->pinnedDNS[$hostname] = $ip;

    return true;
}

// When making the request - CRITICAL: Use pinned IP
protected function makeRequest(string $url): ResponseInterface
{
    $hostname = parse_url($url, PHP_URL_HOST);
    $ip = $this->pinnedDNS[$hostname] ?? null;

    $options = [];
    if ($ip) {
        // Force Guzzle/curl to use the SAME IP we validated
        $options['curl'] = [
            CURLOPT_RESOLVE => [
                "$hostname:80:$ip",
                "$hostname:443:$ip"
            ]
        ];
    }

    return $this->client->get($url, $options);
}

Alternative: Single Resolution with Immediate Use

// Resolve to IP and use IP directly in URL
$ip = gethostbyname($hostname);

if (in_array($ip, $blockedIPs)) {
    return false;
}

// Make request directly to IP with Host header
$client->get("http://$ip" . parse_url($url, PHP_URL_PATH), [
    'headers' => [
        'Host' => $hostname
    ]
]);

Additional Mitigations

Mitigation Description
DNS Pinning (CURLOPT_RESOLVE) Force same IP for validation and request
Single IP-based request Use resolved IP directly in URL
Implement IMDSv2 Requires token header (infrastructure-level)
Network egress filtering Block metadata IPs at network level

Resources

基本情報

タイプ
reviewed
深刻度
high
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2026-02-23 22:16:01 UTC
更新
2026-02-27 21:49:24 UTC
GitHub レビュー済み
2026-02-23 22:16:01 UTC
NVD で公開
2026-02-23

EPSS Score

Score Percentile
0.01% 1.46%

CVSS Scores

Base score Version Severity Vector
7.0 4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N クリックして展開
攻撃ベクター (AV:N)
インターネットや社内 WAN など、ルーティングされたネットワーク越しに遠隔から踏み台にしうる。
攻撃の複雑さ (AC:H)
タイミング・負荷・周辺設定に左右され、安定して成功させにくい。
攻撃要件 (AT:P)
特定のミドルウェア状態やデータ配置など、追加前提が揃わないと成立しない。
必要な権限 (PR:L)
一般ユーザー権限で足り、管理者は不要。
ユーザーの関与 (UI:N)
被害者の操作なしでも攻撃が完結しうる。
脆弱システムの機密性への影響 (VC:H)
広範な機微情報の窃取や長期滞留が現実的。
脆弱システムの完全性への影響 (VI:N)
改ざん・なりすましで信頼が揺らぐ局面はほとんど想定されない。
脆弱システムの可用性への影響 (VA:N)
業務を止めるほどの停止や劣化は想定しにくい。
後続システムの機密性への影響 (SC:H)
下流に広がる機微情報の窃取や長期滞留が現実的。
後続システムの完全性への影響 (SI:N)
下流の記録や設定が歪められる局面はほとんど想定されない。
後続システムの可用性への影響 (SA:N)
下流サービスが止まるほどの影響は想定しにくい。

Identifiers

CWEs

CWE id Name
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Credits

  • RajChowdhury240 (reporter)
  • rlarabee (reporter)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer craftcms/cms >= 5.0.0-RC1, <= 5.8.22 5.8.23
composer craftcms/cms >= 3.5.0, <= 4.16.18 4.16.19

References

cvelogic Threat Intelligence