CVE-2025-66294
📋 TL;DR
This Server-Side Template Injection (SSTI) vulnerability in Grav allows authenticated users with editor permissions to execute arbitrary commands on the server. Under certain conditions, unauthenticated attackers may also exploit this weakness. The vulnerability exists due to insufficient regex validation in the cleanDangerousTwig method.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, malware deployment, or complete system takeover
Likely Case
Unauthorized code execution leading to data exfiltration, website defacement, or backdoor installation
If Mitigated
Limited impact if proper access controls and input validation are in place
🎯 Exploit Status
The vulnerability is relatively easy to exploit once the attack vector is identified. Public proof-of-concept may emerge soon given the high CVSS score.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f
Restart Required: Yes
Instructions:
1. Backup your Grav installation and database. 2. Update Grav to version 1.8.0-beta.27 or later. 3. Restart your web server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Editor Access
allTemporarily remove editor permissions from all non-essential users
# Edit user accounts YAML files to remove editor permissions
Disable Twig Template Editing
allDisable template editing functionality if not required
# Modify Grav configuration to disable template editing features
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to Grav instances
- Enable detailed logging and monitoring for suspicious template editing activities
🔍 How to Verify
Check if Vulnerable:
Check your Grav version by examining the grav/system/defines.php file or using the Grav CLICheck Version:
php bin/grav versionVerify Fix Applied:
Confirm version is 1.8.0-beta.27 or later and test template editing functionality📡 Detection & Monitoring
Log Indicators:
- Unusual template file modifications
- Suspicious POST requests to template editing endpoints
- Unexpected system command execution
Network Indicators:
- Unusual outbound connections from web server
- Traffic to known exploit frameworks
SIEM Query:
source="grav_access.log" AND (uri="/admin/templates" OR uri="/admin/pages") AND (status=200 OR status=500) AND user_agent CONTAINS "curl" OR user_agent CONTAINS "wget"