# CraftQL SSRF Vulnerability Summary ## Vulnerability Overview CraftQL is a GraphQL plugin for Craft CMS. This plugin contains a **Server-Side Request Forgery (SSRF)** vulnerability when processing remote URLs in Asset fields. An attacker can directly exploit PHP's `file_get_contents()` function via GraphQL mutations without any URL validation. **Consequences of exploitation by attackers:** * Read local server files (e.g., `/etc/passwd`, `.env` configuration files). * Scan internal network ports and services. * Steal cloud service provider metadata (AWS/GCP/Azure IAM credentials). * Access sensitive internal network resources. ## Impact Scope * **Affected Component:** CraftQL Plugin - GetAssetsFieldSchema.php * **Affected Versions:** Craft CMS 3.x + CraftQL isPrivateIP($ip)) { throw new \InvalidArgumentException('Private IP addresses not allowed'); } private function isPrivateIP($ip) { return ( ($ip >= 3232235520 && $ip = 2886729728 && $ip = 3221225984 && $ip getGuzzle(); try { $response = $client->get($remoteUrl, [ 'timeout' => 10, 'connect_timeout' => 5, 'allow_redirects' => false, 'stream' => true ]); $content = $response->getBody()->getContents(); } catch (\Exception $e) { throw new \InvalidArgumentException('Failed to fetch URL'); } file_put_contents($uploadPath, $content); ```