CVE-2025-66295
📋 TL;DR
This vulnerability allows authenticated users with account creation privileges to perform path traversal attacks when creating new users in Grav CMS. By supplying usernames containing sequences like '../' or '..\', attackers can write account YAML files outside the intended directory, potentially exposing sensitive account data. This affects all Grav installations prior to version 1.8.0-beta.27 where user creation privileges are granted.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
An attacker with user creation privileges could write YAML files containing sensitive account data (including hashed passwords and 2FA secrets) to arbitrary locations on the filesystem, potentially enabling account takeover, privilege escalation, or further system compromise.
Likely Case
An authenticated attacker with user creation privileges writes account files to unintended locations, potentially exposing sensitive user data or enabling account manipulation through file system access.
If Mitigated
With proper access controls limiting user creation privileges to trusted administrators only, the attack surface is significantly reduced, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires authenticated access with user creation privileges. The vulnerability is straightforward to exploit once those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv
Restart Required: No
Instructions:
1. Update Grav to version 1.8.0-beta.27 or later. 2. Use the Grav GPM update command: 'bin/gpm selfupgrade' followed by 'bin/gpm update'. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict User Creation Privileges
allTemporarily remove or restrict user creation privileges from all non-essential accounts until patching can be completed.
🧯 If You Can't Patch
- Review and audit all user accounts with creation privileges, removing unnecessary permissions
- Implement file system monitoring for YAML file creation outside the user/accounts/ directory
🔍 How to Verify
Check if Vulnerable:
Check Grav version by examining the CHANGELOG.md file or running 'bin/gpm version'. If version is earlier than 1.8.0-beta.27, the system is vulnerable.Check Version:
bin/gpm versionVerify Fix Applied:
After updating, verify the version is 1.8.0-beta.27 or later using 'bin/gpm version'. Test user creation with path traversal sequences to confirm they are now rejected.📡 Detection & Monitoring
Log Indicators:
- Failed user creation attempts with unusual usernames
- File write operations outside user/accounts/ directory
- Admin panel user creation logs with path traversal patterns
Network Indicators:
- POST requests to admin user creation endpoints with suspicious username parameters
SIEM Query:
source="grav_logs" AND (username="*../*" OR username="*..\*" OR path="*outside user/accounts/*")