Fixed GHSA-3m9m-24vh-39wx

Author: brandonkelly

CHANGELOG.md

@@ -6,6 +6,7 @@
 - Fixed a bug where `users/suspend-user` and `users/unsuspend-user` actions required that the logged-in user have control panel access. ([#18485](https://github.com/craftcms/cms/issues/18485))
 - Fixed a bug where flipping an image within the Image Editor didn’t always work. ([#18486](https://github.com/craftcms/cms/issues/18486))
 - Fixed a bug where SVG files missing their `width` and `height` attributes weren’t getting them set as expected.
+- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SSRF vulnerability. (GHSA-3m9m-24vh-39wx)
 
 ## 4.17.8 - 2026-02-25
 

src/gql/resolvers/mutations/Asset.php

@@ -251,6 +251,10 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
         } elseif (!empty($fileInformation['url'])) {
             $url = $fileInformation['url'];
 
+            if (!$this->validateScheme($url)) {
+                throw new UserError("$url contains an invalid scheme.");
+            }
+
             if (!$this->validateHostname($url)) {
                 throw new UserError("$url contains an invalid hostname.");
             }
@@ -297,6 +301,13 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
         return true;
     }
 
+    private function validateScheme(string $url): bool
+    {
+        // block Gopher/File/FTP Smuggling
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        return in_array(strtolower($scheme), ['http', 'https'], true);
+    }
+
     private function validateHostname(string $url): bool
     {
         $hostname = parse_url($url, PHP_URL_HOST);