SSRF and Configuration Exfiltration via Glide Integration in Statamic CMS

Statamic CMS integrates the Glide library to handle on-the-fly image manipulation, resizing, and watermarking. This functionality is exposed via specific routes that accept parameters such as src (source image) and mark (watermark). The vulnerability arises from a lack of strict input validation and context isolation when processing these parameters, specifically when Glide is configured without a signing key.

The flaw manifests in two distinct attack vectors. First, the application fails to properly validate the src parameter against internal path traversal when resolving relative URLs, allowing an attacker to coerce the server into fetching arbitrary external or internal resources (SSRF). Second, the mark parameter is passed to the Antlers template engine for evaluation without adequate sandboxing. This permits the injection of template tags that are evaluated within the application's context, leading to the disclosure of sensitive configuration data.

The vulnerability stems from three converging architectural failures:

1. Insecure Default Configuration Support: Statamic allows Glide to operate in an "insecure mode" where the key configuration option is null. In this state, the application does not verify the cryptographic signature (s parameter) of the request, allowing attackers to modify image manipulation parameters arbitrarily.

2. Template Engine Context Exposure: When processing the watermark (mark) parameter, the string is evaluated by the Antlers engine. Prior to version 5.73.11, the evaluation context included the entire application configuration array via config()->all(). This meant that standard template tags could access high-value secrets, such as {{ config:app:key }} or {{ config:database:connections:mysql:password }}.

3. Path Normalization Logic Error: The src/Sites/Site.php class contained a flaw in how it normalized relative paths. The method used Str::removeLeft($url, $this->absoluteUrl()) to strip the site's base URL from the requested asset path. If the absolute URL contained a trailing slash (e.g., https://example.com/) and the attacker supplied a malformed URL like https://example.com/http://169.254.169.254, the function would strip the prefix and leave the absolute URL http://169.254.169.254. This result was then processed by the HTTP client, triggering an outbound request to the internal address.

The remediation addresses both the path normalization logic and the data exposure in the template engine.

Path Normalization Fix (src/Sites/Site.php)

The vulnerable code naively stripped the absolute URL prefix. The patch ensures the base URL is normalized (trailing slash removed) before attempting to strip it from the input. This forces the resulting string to be treated as a path relative to the root rather than a new absolute URI scheme.

// Vulnerable Implementation
public function relativePath($url)
{
    // If absoluteUrl() has a trailing slash, it might leave the scheme of a nested URL intact
    return URL::makeRelative(Str::removeLeft($url, $this->absoluteUrl()));
}
 
// Patched Implementation
public function relativePath($url)
{
    // Explicitly remove trailing slash to ensure correct prefix stripping
    $siteUrl = Str::removeRight($this->absoluteUrl(), '/');
    return URL::makeRelative(Str::removeLeft($url, $siteUrl));
}

Context Restriction Fix (src/View/Cascade.php)

Previously, the view cascade injected all configuration values into the Antlers context. The patch introduces a strict allowlist, exposing only safe configuration items required for frontend rendering.

// Vulnerable: Exposes all config, including env secrets
// $data = array_merge($data, config()->all());
 
// Fixed: Uses a defined allowlist
public static function config(): array
{
    $defaults = ['app.name', 'app.url', 'app.locale', ...];
    // Only keys in the allowlist are merged into the view context
    // ... logic to filter config ...
}

Exploitation requires that the Statamic instance has Glide configured without a signing key. This is common in development environments or misconfigured production sites.

Scenario 1: Information Disclosure (Antlers Injection)

The attacker sends a request to a Glide endpoint with a malicious mark parameter. The server interprets the parameter as a path to a watermark image but first evaluates it as an Antlers template.

GET /img/asset.jpg?mark={{ config:database:connections:mysql:password }} HTTP/1.1
Host: target.com

If successful, the Antlers engine resolves the tag to the actual database password. While the resulting string is likely an invalid file path, the error message generated by the application (or the reflection of the path in the response) typically leaks the evaluated content.

Scenario 2: Server-Side Request Forgery (SSRF)

The attacker targets the image proxy functionality to access cloud metadata services. By crafting a URL that abuses the path normalization bug, they bypass the restriction that usually limits src to local assets.

GET /img/proxy?src=https://target.com/http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1
Host: target.com

The removeLeft function strips https://target.com/, leaving http://169.254.169.254/.... The backend HTTP client then fetches this URL. The response body (AWS credentials) may be returned as a corrupted image stream or revealed in debug output.

The impact of this vulnerability is significant due to the nature of the data exposed. While it requires a specific configuration ('insecure mode'), the consequences of exploitation are severe.

Confidentiality (High): The ability to dump config()->all() provides attackers with database credentials, mail server passwords, third-party API keys (AWS, Stripe), and the Laravel APP_KEY. Possession of the APP_KEY can often be escalated to Remote Code Execution (RCE) via deserialization attacks if the attacker can interact with session cookies or encrypted payloads.

SSRF Impact: Access to internal network services allows attackers to map the internal network, interact with unauthenticated services (like Redis or Memcached), or retrieve cloud instance credentials. This can lead to full infrastructure compromise depending on the permissions attached to the cloud instance profile.

Users must upgrade to Statamic versions 5.73.11 or 6.4.0 immediately. These versions introduce strict configuration allowlisting and fix the path normalization logic.

Configuration Hardening

Regardless of the patch status, administrators should strictly enforce URL signing for Glide. This prevents attackers from tampering with parameters entirely.

// config/statamic/glide.php
'key' => env('STATAMIC_GLIDE_KEY', 'generate-a-long-random-string'),

Defense in Depth

1. Network Segmentation: Block outbound traffic from the web server to sensitive internal subnets (e.g., 169.254.169.254, 10.0.0.0/8).
2. WAF Rules: Configure Web Application Firewalls to inspect query parameters for Antlers/Blade syntax (e.g., {{, }}) and common SSRF payloads.