FileField Sources - Moderately Critical - Server-Side Request Forgery

Project

FileField Sources

Date

May 20, 2026

Severity

Moderately Critical

Risk Score

10/25 AC:Basic/A:User/CI:Some/II:None/E:Proof/TD:Uncommon

Vulnerability

Server-Side Request Forgery

Affected versions

<7.x-1.12

Description

The FileField Sources module extends Drupal file fields to allow uploading files from remote URLs. When a user submits a remote URL, the module fetches the resource using cURL.

The module failed to validate that the resolved IP address of the supplied hostname fell outside private and reserved ranges, and did not restrict cURL to HTTP/HTTPS protocols.

This vulnerability is mitigated by the fact that the attacker must be an authenticated user with permission to use a file field that has the remote source enabled; the feature is not active by default on all file fields.

Solution

Install the latest version.

If you use the FileField Sources module for Drupal 7, upgrade to filefield_sources 7.x-1.12:

filefield_sources 7.x-1.12.tar.gz
filefield_sources 7.x-1.12.zip

Reported by

Ra Mänd (ram4nd)

Fixed by

Tag1 D7ES

Coordinated by

Tag1 D7ES