Login Sign Up

CVE-2025-66844

9.1 CRITICAL
SSRF

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Grav CMS versions before 1.7.49.5. Attackers can exploit Twig template processing to make unauthorized requests from the server to internal or external systems. All Grav installations with Twig processing enabled and undefined PHP functions registration allowed are affected.

💻 Affected Systems

Products:
  • Grav CMS
Versions: All versions < 1.7.49.5
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Requires Twig processing enabled and configuration allowing undefined PHP functions registration.

📦 What is this software?

Grav by Getgrav

View all CVEs affecting Grav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via SSRF to internal services, data exfiltration, or use as proxy for attacks against other systems.

🟠

Likely Case

Unauthorized access to internal network resources, metadata service exploitation, or port scanning from the vulnerable server.

🟢

If Mitigated

Limited to internal network reconnaissance if proper network segmentation and egress filtering are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to create/modify Twig templates, typically requiring some level of authenticated access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.49.5

Vendor Advisory: https://github.com/getgrav/grav/releases/tag/1.7.49.5

Restart Required: No

Instructions:

1. Backup your Grav installation. 2. Update Grav to version 1.7.49.5 or later via composer (composer update getgrav/grav) or manual download. 3. Clear cache if needed.

🔧 Temporary Workarounds

Disable Twig processing

all

Prevent Twig from processing page content if not required

Edit site configuration to disable Twig processing for page content

Restrict PHP function registration

all

Disallow registration of undefined PHP functions in Twig configuration

Set twig.undefined_functions: false in Grav configuration

🧯 If You Can't Patch

  • Implement strict network egress filtering to limit outbound connections from the Grav server
  • Apply WAF rules to detect and block SSRF patterns in requests

🔍 How to Verify

Check if Vulnerable:

Check Grav version in admin panel or via CLI: php bin/grav version

Check Version:

php bin/grav version

Verify Fix Applied:

Confirm version is 1.7.49.5 or higher and verify twig.undefined_functions is set to false

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from Grav server
  • Twig template compilation errors
  • Unexpected file:// or http:// requests in logs

Network Indicators:

  • HTTP requests from Grav server to internal services or unusual external domains
  • Port scanning activity originating from Grav server

SIEM Query:

source="grav_logs" AND ("twig" OR "template") AND ("http://" OR "file://" OR "gopher://")

📊 Metadata

CVE ID: CVE-2025-66844
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-918
EPSS Score: 0.05% exploit probability (15.8th percentile)
Published: December 15, 2025
Last Updated: December 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66844, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)