Craft CMS CVE-2026-27129 IPv6 SSRF Protection Bypass via gethostbyname

Thinking Process: 1. Analyze the Request: Task: Translate a Chinese vulnerability intelligence summary to English. Role: Professional translator specializing in cybersecurity. Constraint 1: Maintain all Markdown formatting intact. Constraint 2: Do not add any introductory or concluding remarks. Constraint 3: Just output the English translation. Input: A structured text containing vulnerability details (Name, IDs, Severity, Affected Versions, Root Cause, Bypass Mechanism, Payloads, Attack Scenario, Remediation). 2. Analyze the Input Content: Header: (Key Information) Section 1: (Vulnerability Overview) Fields: Name, GHSA ID, CVE ID, Severity, Related Vulnerabilities. Note: Some fields are already in English (Name, IDs). I need to translate the labels (e.g., "严重性" -> "Severity", "相关漏洞" -> "Related Vulnerabilities"). Section 2: (Affected Versions and Fixed Versions) Fields: Affected Versions, Fixed Versions. Content: Version ranges (keep as is). Section 3: (Root Cause) Content: Technical explanation involving , IPv4, A records, hostname string, SSRF bypass. Section 4: (Bypass Mechanism) Content: Step-by-step process (Attacker provides URL, validation calls function, blacklist check fails, etc.). Section 5: (Bypass Payloads) Content: Example URLs. Section 6: (Attack Scenario) Content: Steps involving Craft CMS, GraphQL, AWS roles, credentials, EC2 instances. Section 7: (Remediation Recommendations) Content: Replace function, check IPv4/IPv6, block prefixes. 3. Drafting the Translation (Iterative Process): Header: -> Section 1: -> -> (Already English in value, but label needs translation) -> -> -> -> Section 2: -> (or ) -> Let's use . -> -> Section 3: -> Text: 只解析 IPv4 地址，如果没有 A 记录，则返回主机名字符串，导致 SSRF 保护绕过。 Translation: only resolves IPv4 addresses; if no A record exists, it returns the hostname string, leading to an SSRF protection bypass. Section 4: -> 1. 攻击者提供 URL（IPv6 地址） -> 1. Attacker provides a URL (IPv6 address) 2. 验证调用 ，返回主机名字符串 -> 2. Validation calls , which returns the hostname string 3. 黑名单检查失败，验证通过 -> 3. Blacklist check fails, validation passes 4. 利用 IPv6 绕过黑 listed IPv4 地址，获取敏感信息 -> 4. Exploit IPv6 to bypass blacklisted IPv4 addresses and access sensitive information Section 5: -> -> URLs remain unchanged. Section 6: -> 1. 找到启用 GraphQL 资产变异的 Craft CMS 实例 -> 1. Locate a Craft CMS instance with GraphQL asset mutations enabled 2. 发送特殊的 GraphQL 变异 -> 2. Send a specific GraphQL mutation 3. 通过错误信息或保存文件获取 AWS 角色名 -> 3. Obtain the AWS role name via error messages or saved files 4. 使用第二步的信息获取 AWS 凭据 -> 4. Use information from step 2 to obtain AWS credentials 5. 利用获取的凭据访问 AWS 服务 -> 5. Access AWS services using the obtained credentials 6. 创建新的 EC2 实例，执行远程代码 -> 6. Create a new EC2 instance and execute remote code Section 7: -> 1. 替换 为 ，同时检查 IPv4 和 IPv6 地址 -> 1. Replace with and check both IPv4 and IPv6 addresses 2. 阻止已知的 IPv6 云元数据前缀（如 AWS IMDS、GCP metadata 等） -> 2. Block known IPv6 cloud metadata prefixes (e.g., AWS IMDS, GCP metadata, etc.) 4. Review and Refine: Check Markdown: Headers ( , ), bold ( ), lists ( , ), code ticks ( 关键信息 Key Information 漏洞概述 Vulnerability Overview 名称: Name: 严重性: Severity: 相关漏洞: Related Vulnerabilities: 影响版本及修复版本 Affected and Fixed Versions 受影响版本: Affected Versions: 已修复版本: Fixed Versions**: 根本原因 Root Cause 绕过机制 Bypass Mechanism 绕过载荷 Bypass Payloads 攻击场景 Attack Scenario 修复建议 Remediation Recommendations gethostbyname() gethostbyname() http://fd00-ec2--254.sslip.io/latest/meta-data/ http://fd00-ec2--170.sslip.io/latest/meta-data/ gethostbyname() dns_get_record()` and check both IPv4 and IPv6 addresses Block known IPv6 cloud metadata prefixes (e.g., AWS IMDS, GCP metadata, etc.)

Goal Reached Thanks to every supporter — we hit 100%!

Craft CMS CVE-2026-27129 IPv6 SSRF Protection Bypass via gethostbyname

More from this source