How to fix CVE-2025-68437?

Within 30 days: Identify affected systems running versions 5.0.0-RC1 and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Craft Cms affected by CVE-2025-68437?

Organizations using versions 5.0.0-RC1 should be aware of notable risk from CVE-2025-68437, a server-side request forgery vulnerability rated CVSS 6.8. Users could be tricked into performing unintended actions. Proof-of-concept code is publicly available.

CVE-2025-68437

MEDIUM

2026-01-05 [email protected]

GHSA-x27p-wfqw-hfcc

6.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 12, 2026 - 18:28 vuln.today

Public exploit code

Patch Released

Jan 12, 2026 - 18:28 nvd

Patch available

CVE Published

Jan 05, 2026 - 22:15 nvd

MEDIUM 6.8

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.

Analysis

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL save_<VolumeName>_Asset mutation is vulnerable to Server-Side Request Forgery (SSRF). [CVSS 6.8 MEDIUM]

Technical Context

Classified as CWE-918 (Server-Side Request Forgery (SSRF)). Affects Craft Cms. Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoin

Affected Products

Vendor: Craftcms. Product: Craft Cms. Versions: up to 5.8.20.

Remediation

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +34

POC: +20

CVE-2025-68437 vulnerability details – vuln.today

Back

CVE-2025-68437

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-68437

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code