The Ghost in the Minified Blob: Unpacking GHSA-RWR8-XRPW-9QF5 in Craft Freeform
Jan 16, 2026·5 min read·0 visits
Executive Summary (TL;DR)
Your `composer.json` might say you are safe, but your `/vendor` directory tells a different story. Solspace Freeform bundled a pre-compiled version of Axios (< 1.7.5) susceptible to SSRF and Redirect Bypasses directly into its frontend assets. Fixing it requires updating to Freeform 4.1.30 or 5.14.6, where the vendor finally recompiled the assets with a patched library.
Solspace Freeform for Craft CMS was found distributing precompiled JavaScript assets containing an outdated and vulnerable version of the Axios library. This supply-chain issue exposes applications to known flaws like CVE-2024-39338 (SSRF/Redirect Bypass) despite 'composer.json' potentially looking clean.
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
solspace/craft-freeform Solspace | < 4.1.30 | 4.1.30 |
solspace/craft-freeform Solspace | < 5.14.6 | 5.14.6 |
| Attribute | Detail |
|---|---|
| Vulnerability Type | Bundled Vulnerable Dependency |
| Component | Axios Library (embedded in plugin.js) |
| Underlying CVE | CVE-2024-39338 |
| Attack Vector | Network (Client-side) |
| Exploit Status | PoC Available (for underlying Axios vuln) |
| Impact | SSRF / Security Control Bypass |
MITRE ATT&CK Mapping
The product uses a third-party component (Axios) that contains known vulnerabilities, but the component is bundled in a way that makes standard updates impossible.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.