CVE-2025-66303
📋 TL;DR
A Denial of Service vulnerability in Grav allows attackers to disrupt the admin panel by submitting malicious cron expressions in the scheduled_at parameter. This affects Grav administrators who can access the admin interface. The vulnerability requires manual server access to restore functionality.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Complete unavailability of the Grav admin panel, requiring manual server access to restore functionality, disrupting all administrative operations indefinitely.
Likely Case
Temporary disruption of admin panel functionality until manual intervention corrects the corrupted cron expression in backup.yaml.
If Mitigated
Minimal impact with proper input validation and access controls preventing malicious parameter manipulation.
🎯 Exploit Status
Exploitation requires access to the admin interface where scheduled_at parameters can be modified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997
Restart Required: No
Instructions:
1. Backup your Grav installation. 2. Update Grav to version 1.8.0-beta.27 or later via the admin panel or command line. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit access to the Grav admin panel to trusted IP addresses only.
# Configure web server (e.g., Apache/Nginx) to restrict /admin path to specific IPs
Input Validation Filter
allImplement custom input validation for scheduled_at parameters to reject malicious cron expressions.
# Add custom validation in Grav plugins or themes to sanitize scheduled_at input
🧯 If You Can't Patch
- Restrict admin panel access to specific trusted IP addresses only.
- Monitor and audit all admin panel access attempts for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check Grav version via admin panel or by examining the system/grav.yaml file for version number.Check Version:
php bin/grav versionVerify Fix Applied:
Confirm Grav version is 1.8.0-beta.27 or later and test admin panel functionality with various scheduled_at inputs.📡 Detection & Monitoring
Log Indicators:
- Failed admin panel access attempts
- Unusual cron expression submissions in scheduled_at parameter
- Admin panel error logs indicating parsing failures
Network Indicators:
- HTTP requests to admin endpoints with unusual scheduled_at parameter values
- Increased error responses from admin panel
SIEM Query:
source="grav_logs" AND (message="*scheduled_at*" OR message="*cron*error*")