CVE-2025-66297
📋 TL;DR
This vulnerability allows authenticated users with admin panel access in Grav CMS to escalate privileges to full admin or execute arbitrary system commands by injecting malicious Twig expressions. It affects Grav CMS installations prior to version 1.8.0-beta.27 where users have page creation/edit permissions.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution leading to data theft, lateral movement, and complete control of the server.
Likely Case
Privilege escalation to admin followed by data manipulation, additional user creation, or installation of backdoors.
If Mitigated
Limited impact if proper access controls restrict admin panel access and page editing permissions.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6
Restart Required: No
Instructions:
1. Backup your Grav installation and database. 2. Update Grav to version 1.8.0-beta.27 or later via the admin panel or manually. 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Admin Panel Access
allLimit access to the Grav admin panel to only trusted users who absolutely need it.
Disable Page Editing Permissions
allRemove page creation and editing permissions from non-admin users.
🧯 If You Can't Patch
- Implement strict access controls to limit admin panel access to essential personnel only.
- Monitor logs for suspicious Twig processing or scheduler API activity.
🔍 How to Verify
Check if Vulnerable:
Check your Grav version in the admin panel or via the command line with 'bin/gpm version'.Check Version:
bin/gpm versionVerify Fix Applied:
Confirm version is 1.8.0-beta.27 or higher using 'bin/gpm version' or admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual Twig processing in page frontmatter
- Suspicious scheduler API calls
- Unexpected privilege escalation events
Network Indicators:
- Unusual admin panel activity from non-admin users
- Scheduler API requests with malicious payloads
SIEM Query:
source="grav_logs" AND (event="twig_processing" OR event="scheduler_execution") AND user!="admin"