Overview
CVE-2025-66295 is a high-severity vulnerability affecting Grav CMS, a file-based Web platform. Specifically, it’s a path traversal flaw within the user creation process in the Admin UI. This vulnerability allows a malicious user with user creation privileges to manipulate the username field to write account YAML files to arbitrary locations outside the intended user/accounts/ directory.
Technical Details
The vulnerability stems from insufficient sanitization of the username field during user creation via the Admin UI. When a user with the appropriate privileges (i.e., the ability to create new users) submits a username containing path traversal sequences like ..\Nijat or ../Nijat, Grav incorrectly processes these sequences. This results in the crafted username being used to construct the file path for the new user’s account YAML file.
Since the account YAML file stores sensitive information, including the user’s email, full name, Two-Factor Authentication (2FA) secret, and the hashed password, writing this file to an unintended location could expose this information to unauthorized access, leading to potential account compromise.
CVSS Analysis
- Severity: HIGH
- CVSS Score: 8.8
A CVSS score of 8.8 indicates that this vulnerability is considered highly critical. Exploitation could lead to significant data breaches and unauthorized access to user accounts.
Possible Impact
Successful exploitation of CVE-2025-66295 can have severe consequences:
- Account Takeover: Attackers can gain access to user accounts by exploiting the misplaced YAML files containing hashed passwords or 2FA secrets.
- Data Breach: Sensitive user information, including email addresses and full names, can be exposed.
- Privilege Escalation: If an attacker gains control of an administrator account, they can fully compromise the Grav CMS installation and potentially the underlying server.
- Website Defacement: With compromised accounts, attackers could modify website content or inject malicious code.
Mitigation or Patch Steps
The vulnerability is fixed in Grav CMS version 1.8.0-beta.27. It is strongly recommended to upgrade to this version or a later stable release as soon as possible.
- Upgrade Grav CMS: The primary mitigation is to update your Grav CMS installation to version 1.8.0-beta.27 or a later stable release. Follow the official Grav CMS upgrade documentation.
- Review User Permissions: Limit user creation privileges to only trusted administrators. Regularly review user permissions to ensure least privilege is enforced.
- Web Application Firewall (WAF): Consider implementing a WAF to help detect and block path traversal attempts. Configure the WAF to monitor for suspicious input in the username field.
