Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-66300

Grav is vulnerable to Arbitrary File Read
Back to all
CVE

CVE-2025-66300

Grav is vulnerable to Arbitrary File Read

Summary

  • A low privilege user account with page editing privilege can read any server files using "Frontmatter" form.
  • This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.
  • This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.

Details

The vulnerability can be found in /user/plugins/form/templates/forms/fields/display/display.html.twig

!image

PoC

  1. This PoC was conducted on Grav CMS version 1.7.46 and Admin Plugin version 1.10.46

 

!image

  1. go to “http://grav.local/admin/pages” then create new page with “Page Template” option set to “Form”.

 

!image

  1. Then go to “Expert” and on Frontmatter input box used to following form template.

!image

  1. Save page and go the preview or published page you will see the content of “/etc/passwd” file on the server.

 

!image

Impact

This can allow a low privileged user to perform a full account takeover of other registered users including Administrators. This can also allow an adversary to read any file on the web server. And Due to insufficient permission verification , user who can write a page also can use frontmatter feature using this IDOR vulnerability PoC IDOR mention in CVE-2024-2792

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
C
H
U
-

Related Resources

No items found.

References

https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2, https://nvd.nist.gov/vuln/detail/CVE-2025-66300, https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee, https://github.com/getgrav/grav

Severity

8.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.5
EPSS Probability
0.00066%
EPSS Percentile
0.20787%
Introduced Version
0
Fix Available
1.8.0-beta.27

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading