Overview
A critical security vulnerability, identified as CVE-2025-66300, has been discovered in Grav CMS, a file-based web platform. This vulnerability allows a low-privilege user account with page editing privileges to read arbitrary server files using the “Frontmatter” form. This includes sensitive files like Grav user account files (/grav/user/accounts/*.yaml), which store hashed user passwords, 2FA secrets, and password reset tokens. This poses a significant risk to Grav CMS installations.
Technical Details
The vulnerability stems from insufficient input validation when processing data submitted through the “Frontmatter” form within the Grav CMS administrative panel. A low-privilege user with page editing access can manipulate this form to access files outside the intended scope. Specifically, by crafting a malicious request, an attacker can force Grav to read and expose the contents of arbitrary files on the server, including the /grav/user/accounts/*.yaml files.
These .yaml files contain critical user data, including:
- Hashed user passwords
- Two-Factor Authentication (2FA) secrets
- Password reset tokens
Successful exploitation grants an attacker the ability to compromise user accounts, potentially leading to complete control over the Grav CMS website.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 8.5, indicating a HIGH severity. The CVSS vector likely reflects the following:
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Privileges Required (PR): Low
- User Interaction (UI): None
- Scope (S): Changed
- Confidentiality Impact (C): High
- Integrity Impact (I): None
- Availability Impact (A): None
This high score reflects the ease of exploitation, the low privileges required, and the significant impact on confidentiality.
Possible Impact
The impact of CVE-2025-66300 is severe. A successful exploit can lead to:
- Account Takeover: Attackers can reset passwords and gain access to user accounts, including administrator accounts.
- Data Breach: Sensitive information, including user data and potentially other application data, can be exposed.
- Website Defacement: Compromised accounts can be used to deface or modify website content.
- Malware Distribution: Attackers can inject malicious code into the website, potentially infecting visitors.
- Lateral Movement: Depending on the server configuration, attackers might be able to use the compromised Grav CMS instance as a stepping stone to access other systems on the network.
Mitigation or Patch Steps
The vulnerability is fixed in Grav CMS version 1.8.0-beta.27. Immediate action is required to mitigate this risk.
- Upgrade Grav CMS: Upgrade your Grav CMS installation to version 1.8.0-beta.27 or later. This is the most effective way to address the vulnerability. Follow the official Grav CMS upgrade instructions.
- Review User Privileges: Regularly review user privileges and ensure that users only have the minimum necessary permissions. Avoid granting page editing privileges to users who don’t require them.
- Implement Web Application Firewall (WAF): Consider implementing a Web Application Firewall (WAF) to detect and block malicious requests targeting this and other vulnerabilities. Ensure your WAF rules are up-to-date.
