MEDIUM 4.9

GHSA-v5c4-wcpj-x73m

Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)

Details

### Impact

The Glide image proxy's URL validation could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validation. This could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints.

This affects sites that pass user-supplied URLs to Glide.

### Patches

This has been fixed in 5.73.24 and 6.20.1.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / statamic/cms

Introduced in: 0 Fixed in: 5.73.24

Fix composer require statamic/cms:^5.73.24

Packagist / statamic/cms

Introduced in: 6.0.0 Fixed in: 6.20.1

Fix composer require statamic/cms:^6.20.1

References

https://github.com/statamic/cms/security/advisories/GHSA-v5c4-wcpj-x73m [WEB]
https://github.com/statamic/cms [PACKAGE]