Listen to this Post
How the CVE works
The Statamic CMS Glide image proxy endpoint (typically `/img` or /glide) accepts a `src` parameter with a user-supplied URL. The built-in URL validation checks that the host resolves to a public IP address, preventing requests to loopback (127.0.0.1), private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), and cloud metadata endpoints (169.254.169.254). However, the validation does not normalize alternative IP representations before the public-IP check. An attacker can bypass the filter by using octal (e.g., 0177.0.0.1), hexadecimal (e.g., 0x7f000001), decimal (e.g., `2130706433` for 127.0.0.1), or mixed-notation IPs, as well as IPv6 compressed forms like `[::1]` or [::ffff:7f00:1]. The server then passes the unnormalized URL to PHP’s `file_get_contents()` or curl, which resolves the alternative representation to the internal address. Unauthenticated users can trigger this SSRF. The attack can target localhost services, internal network hosts, and cloud instance metadata APIs. Sites running PHP 8.3 or newer are not affected because PHP’s URL validation was hardened. The issue exists in Glide implementations within Statamic before versions 5.73.22 and 6.18.1. The patch normalizes the IP address using `inet_pton()` and `inet_ntop()` before the public-IP check, rejecting non-public representations.
dailycve form
Platform: Statamic CMS
Version: Multiple affected ranges
Vulnerability: SSRF via Glide
Severity: Moderate
Date: May 18 2026
Prediction: Already patched 5.73.22
What Undercode Say:
Test for SSRF using decimal IP to bypass validation curl -v "https://target.com/img?src=http://2130706433:8080/admin" Enumerate internal services via octal representation curl "https://target.com/glide?src=http://0177.0.0.1:22" Check cloud metadata endpoint (AWS) curl "https://target.com/img?src=http://169.254.169.254/latest/meta-data/"
// PHP proof-of-concept: bypass with hex notation
$payload = "http://0x7f000001:80/internal";
$response = file_get_contents("https://target.com/glide?src=" . urlencode($payload));
how Exploit:
- Identify a Statamic endpoint using Glide with user-controlled `src` parameter.
- Replace the host with an internal IP represented in octal, decimal, or hexadecimal format.
- Append target internal port and path (e.g., `http://0x7f000001:8080/admin`).
- Send the request unauthenticated; server resolves and fetches internal resource.
- Read response to extract sensitive data or scan internal network.
Protection from this CVE
- Upgrade to Statamic 5.73.22 or 6.18.1 immediately.
- If patching not possible, run PHP 8.3 or newer (blocks the bypass).
- Disable Glide proxy for user-supplied URLs by removing the `src` parameter handler.
- Implement a web application firewall rule to block requests containing non-decimal IP patterns (octal, hex, decimal) in the `src` parameter.
- Restrict outbound HTTP from the application server using strict egress firewall policies.
Impact:
- Internal port scanning and service enumeration.
- Read cloud metadata (AWS, GCP, Azure) leading to credential theft.
- Access localhost services (e.g., Redis, Memcached, admin panels).
- Attack internal network hosts, pivot to other systems.
- Potential remote code execution if internal services are vulnerable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

