Cybersecurity Vulnerabilities

CVE-2025-66299: Critical SSTI Vulnerability in Grav CMS Allows Remote Code Execution

December 2, 2025 - By 

Overview

CVE-2025-66299 is a high-severity Server-Side Template Injection (SSTI) vulnerability affecting Grav CMS, a file-based web platform. This vulnerability allows authenticated users with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. The vulnerability is present in versions prior to 1.8.0-beta.27. This advisory provides technical details, impact assessment, and mitigation steps for this critical security flaw.

Technical Details

The vulnerability lies in the insufficient protection of the Twig object within the Grav CMS security sandbox. By injecting maliciously crafted Twig template directives into a web page, an authenticated editor can interact with the Twig object (e.g., call methods, read/write attributes). This allows the attacker to add arbitrary functions to the system.twig.safe_filters attribute, effectively bypassing the Grav CMS sandbox. This bypass enables the execution of arbitrary PHP code on the server.

Essentially, the attacker gains the ability to execute shell commands by manipulating the Twig template engine, leading to full server compromise.

Example of potential malicious Twig directive (illustrative):

            
            {{ _self.env.registerUndefinedFilterCallback("exec") }}
            {{ _self.env.renderString("{{'whoami'|filter(name)}}") }}

CVSS Analysis

  • CVSS Score: 8.8 (HIGH)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Explanation: This score reflects the vulnerability’s ease of exploitation (low attack complexity), the requirement for only low privileges (authenticated user), and the significant impact on confidentiality, integrity, and availability. An attacker can remotely execute arbitrary code without user interaction, leading to a complete compromise of the affected system.

Possible Impact

Successful exploitation of CVE-2025-66299 can lead to severe consequences, including:

  • Remote Code Execution (RCE): The attacker can execute arbitrary commands on the server.
  • Data Breach: Sensitive data stored on the server can be accessed and exfiltrated.
  • Website Defacement: The website can be defaced or completely taken over.
  • Malware Deployment: The attacker can deploy malware on the server.
  • Denial of Service (DoS): The server can be rendered unavailable to legitimate users.

Mitigation and Patch Steps

The recommended mitigation is to upgrade Grav CMS to version 1.8.0-beta.27 or later. This version contains a fix that addresses the insufficient sandbox protection and prevents the exploitation of this SSTI vulnerability.

To upgrade Grav CMS, follow these steps:

  1. Log in to the Grav Admin Panel.
  2. Navigate to the “Plugins” or “Themes” section.
  3. Check for updates.
  4. If an update is available for Grav CMS, initiate the update process.
  5. Verify the upgrade was successful.

If upgrading is not immediately possible, consider implementing temporary workarounds such as restricting access to the Grav Admin Panel to only trusted users and monitoring server logs for suspicious activity.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *