CVE-2025-66302
📋 TL;DR
Grav CMS versions before 1.8.0-beta.27 contain a path traversal vulnerability in the backup tool that allows authenticated administrators to read arbitrary files on the server filesystem. This occurs due to insufficient input sanitization of user-supplied paths, enabling access outside the intended webroot directory. The impact severity depends on the privileges of the application's user account.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Administrator credentials are compromised, allowing attackers to read sensitive system files (e.g., /etc/passwd, configuration files, database credentials), potentially leading to full server compromise.
Likely Case
Malicious administrator or compromised admin account reads sensitive application files, configuration data, or user information stored outside webroot.
If Mitigated
With proper access controls and monitoring, impact is limited to files readable by the application's user account, which should have minimal permissions.
🎯 Exploit Status
Exploitation requires administrative credentials. The vulnerability is in the backup tool's path handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94
Restart Required: No
Instructions:
1. Update Grav CMS to version 1.8.0-beta.27 or later. 2. Use the built-in update mechanism or manually replace files with the patched version from GitHub. 3. No service restart required as it's a file-based CMS.
🔧 Temporary Workarounds
Disable backup functionality
allTemporarily disable or restrict access to the backup tool in Grav CMS admin panel.
Restrict admin access
allLimit administrative accounts to trusted users only and implement strong authentication.
🧯 If You Can't Patch
- Restrict file system permissions for the Grav application user to read-only access within webroot directory.
- Implement network segmentation to isolate Grav CMS from sensitive systems and monitor admin account activity.
🔍 How to Verify
Check if Vulnerable:
Check Grav version in admin panel or examine /user/config/system.yaml for version number.Check Version:
grep -i version /user/config/system.yamlVerify Fix Applied:
Confirm version is 1.8.0-beta.27 or later and test backup functionality with path traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs
- Multiple failed path traversal attempts in application logs
- Admin backup tool usage with unusual file paths
Network Indicators:
- HTTP requests to backup endpoints with path traversal patterns (e.g., ../ sequences)
SIEM Query:
web_access_logs WHERE uri CONTAINS '/admin/backup' AND (uri CONTAINS '../' OR uri CONTAINS '..%2F')