Fixed GHSA-8jr8-7hr4-vhfx

Author: brandonkelly

CHANGELOG.md

@@ -5,7 +5,7 @@
 - The `utils/fix-field-layout-uids` command now checks for duplicate top-level field layout UUIDs. ([#18193](https://github.com/craftcms/cms/pull/18193))
 - Fixed a bug where all plugin settings were being saved to the project config, rather than just posted settings. ([craftcms/commerce#4006](https://github.com/craftcms/commerce/issues/4006))
 - Fixed a bug where custom selects could be positioned incorrectly after the window was resized. ([#18179](https://github.com/craftcms/cms/issues/18179))
-- Fixed an SSRF vulnerability. (GHSA-96pq-hxpw-rgh8)
+- Fixed SSRF vulnerabilities. (GHSA-96pq-hxpw-rgh8, GHSA-8jr8-7hr4-vhfx)
 - Fixed a SQL injection vulnerability. (GHSA-2453-mppf-46cj)
 
 ## 4.16.17 - 2025-12-0421

src/gql/resolvers/mutations/Asset.php

@@ -24,6 +24,7 @@
 use GraphQL\Error\UserError;
 use GraphQL\Type\Definition\ResolveInfo;
 use GuzzleHttp\Client;
+use GuzzleHttp\RequestOptions;
 use Throwable;
 use yii\base\Exception;
 use yii\base\InvalidArgumentException;
@@ -259,7 +260,10 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
 
             // Download the file
             $tempPath = AssetsHelper::tempFilePath($extension);
-            $this->createGuzzleClient()->request('GET', $url, ['sink' => $tempPath]);
+            $this->createGuzzleClient()->request('GET', $url, [
+                RequestOptions::ALLOW_REDIRECTS => false,
+                RequestOptions::SINK => $tempPath,
+            ]);
         }
 
         if (!$tempPath || !$filename) {