CVE-2025-66298
📋 TL;DR
This CVE describes a Server-Side Template (SST) vulnerability in Grav CMS that allows attackers to extract sensitive configuration details through specially crafted POST requests to forms. Any Grav site with forms is affected, potentially exposing database credentials, API keys, and other sensitive configuration data. The vulnerability affects Grav versions prior to 1.8.0-beta.27.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all Grav configuration including database credentials, API keys, admin credentials, and plugin configurations leading to full system compromise.
Likely Case
Exposure of sensitive configuration data including database credentials and API keys, potentially enabling further attacks like database access or privilege escalation.
If Mitigated
Limited exposure of non-sensitive configuration details if proper input validation and output encoding are implemented.
🎯 Exploit Status
Exploitation requires sending a specially crafted POST payload to any form endpoint. The advisory includes technical details that could be used to create exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv
Restart Required: No
Instructions:
1. Backup your Grav installation. 2. Update to Grav version 1.8.0-beta.27 or later using the Grav Package Manager (GPM) or by downloading from GitHub. 3. Clear the cache: `bin/grav clear-cache`. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable or Remove Forms
allTemporarily disable or remove all forms from your Grav site to prevent exploitation.
Input Validation Filter
allImplement custom input validation to filter or block suspicious POST payloads containing template injection patterns.
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with rules to block SST injection patterns in POST requests.
- Restrict access to forms using authentication or IP whitelisting to limit attack surface.
🔍 How to Verify
Check if Vulnerable:
Check your Grav version using the command: `bin/grav version`. If version is below 1.8.0-beta.27 and you have forms enabled, you are vulnerable.Check Version:
bin/grav versionVerify Fix Applied:
After updating, verify version is 1.8.0-beta.27 or higher with `bin/grav version`. Test form submissions to ensure they no longer expose configuration data.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to form endpoints with template injection patterns
- Large configuration data in response logs
- Multiple failed form submissions with unusual payloads
Network Indicators:
- POST requests containing template syntax like {{, }}, or config access patterns
- Unusually large responses from form submission endpoints
SIEM Query:
source="web_logs" AND (method="POST" AND uri="*form*" AND (body="*{{*" OR body="*config*" OR body="*system*"))