CVE-2025-66299
📋 TL;DR
Grav CMS versions before 1.8.0-beta.27 contain a Server-Side Template Injection vulnerability that allows authenticated users with editor permissions to execute arbitrary code on the server by bypassing the Twig sandbox. This enables remote code execution through malicious Twig template directives. Only authenticated editors can exploit this vulnerability.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with attacker gaining complete control over the web server, allowing data theft, malware deployment, and lateral movement within the network.
Likely Case
Authenticated editor exploits the vulnerability to execute arbitrary code, potentially compromising the web application and underlying server.
If Mitigated
With proper access controls limiting editor permissions to trusted users only, the attack surface is reduced but still presents significant risk.
🎯 Exploit Status
Exploitation requires authenticated access with editor permissions and knowledge of Twig template injection techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27 and later
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x
Restart Required: Yes
Instructions:
1. Backup your Grav installation and database. 2. Update Grav CMS to version 1.8.0-beta.27 or later via the admin panel or command line. 3. Clear the cache. 4. Restart the web server.
🔧 Temporary Workarounds
Restrict Editor Permissions
allTemporarily remove or restrict editor permissions for all non-essential users until patching can be completed.
# Edit user accounts in Grav admin panel or user/accounts.yaml files
Web Application Firewall Rules
allImplement WAF rules to block Twig template injection patterns and suspicious template directives.
# Configure WAF specific to your environment
🧯 If You Can't Patch
- Implement strict access controls to limit editor permissions to absolute minimum required users
- Monitor and audit all editor account activity for suspicious template modifications
🔍 How to Verify
Check if Vulnerable:
Check Grav version in admin panel or via command: php bin/grav versionCheck Version:
php bin/grav versionVerify Fix Applied:
Confirm version is 1.8.0-beta.27 or higher and test that Twig sandbox protections are functioning📡 Detection & Monitoring
Log Indicators:
- Unusual Twig template modifications
- Editor account performing unexpected template edits
- Suspicious PHP function calls in logs
Network Indicators:
- Unusual POST requests to template editing endpoints
- Requests containing Twig injection patterns
SIEM Query:
source="grav_logs" AND ("twig" OR "template") AND ("inject" OR "eval" OR "system")