CVE-2025-66300
📋 TL;DR
A low-privilege user with page editing access in Grav can read arbitrary server files, including sensitive user account files containing password hashes and 2FA secrets. This allows account compromise through password reset token theft or hash cracking. All Grav installations with user accounts are affected.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through admin account takeover, leading to data theft, website defacement, or server compromise.
Likely Case
Privilege escalation where low-privilege users compromise admin or other user accounts to gain unauthorized access.
If Mitigated
Limited impact if strict access controls prevent unauthorized users from obtaining page editing privileges.
🎯 Exploit Status
Exploitation requires authenticated low-privilege access but is straightforward once obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2
Restart Required: No
Instructions:
1. Backup your Grav installation. 2. Update Grav to version 1.8.0-beta.27 or later via the admin panel or CLI. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Page Editing Privileges
allTemporarily remove page editing access from all non-admin users until patched.
Edit user account YAML files to remove 'pages' permission
🧯 If You Can't Patch
- Implement strict access controls to limit page editing to trusted administrators only.
- Monitor user account files for unauthorized access attempts and review audit logs regularly.
🔍 How to Verify
Check if Vulnerable:
Check Grav version in admin panel or via CLI: 'bin/gpm version'.Check Version:
bin/gpm versionVerify Fix Applied:
Confirm version is 1.8.0-beta.27 or higher using the same command.📡 Detection & Monitoring
Log Indicators:
- Unusual file read attempts in Grav logs
- Multiple failed login attempts followed by successful access
Network Indicators:
- Unusual outbound traffic from Grav server
SIEM Query:
source="grav_logs" AND (event="file_read" OR event="unauthorized_access")