Plattform
php
Komponente
getgrav/grav
Behoben in
1.8.1
1.8.0-beta.27
CVE-2025-66295 is a Path Traversal vulnerability discovered in getgrav/grav, a PHP-based flat-file CMS. An attacker can exploit this flaw by crafting a malicious username during user creation within the Admin UI, leading to arbitrary file writes. This can expose sensitive configuration data and potentially compromise the entire system. The vulnerability affects versions of getgrav/grav up to 1.8.0-beta.9, and a fix is available in version 1.8.0-beta.27.
The primary impact of CVE-2025-66295 lies in the ability of an attacker to write arbitrary YAML files on the server. This is achieved by injecting path traversal sequences (e.g., ..\Nijat or ../Nijat) within the username field during user creation. The crafted username tricks the application into writing the account YAML file to an unintended location outside the user/accounts/ directory. The YAML file can contain sensitive information, including email addresses, full names, two-factor authentication secrets, and, critically, hashed passwords. Successful exploitation allows an attacker to modify site configuration files (like email.yaml, system.yaml, or admin.yaml), potentially leading to complete site compromise and data exfiltration. This vulnerability shares similarities with other path traversal exploits where attackers leverage relative paths to bypass access controls.
CVE-2025-66295 was publicly disclosed on December 2, 2025. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. No public proof-of-concept (PoC) exploits have been released as of the disclosure date, but the ease of exploitation suggests that PoCs are likely to emerge. Active exploitation campaigns are not currently confirmed.
Sites running getgrav/grav versions 1.8.0-beta.9 and earlier are at immediate risk. Specifically, sites with publicly accessible Admin UI endpoints and those that haven't implemented robust input validation on user creation forms are particularly vulnerable. Shared hosting environments using getgrav/grav are also at increased risk due to the potential for cross-site contamination.
• php / server:
find /path/to/grav/user/accounts/ -name '*.yaml' -print0 | xargs -0 grep -i '..\\' # Search for path traversal sequences in account YAML files• php / server:
journalctl -u grav -f | grep -i "writing account yaml file" # Monitor Grav logs for file writing activity• generic web:
curl -I 'http://your-grav-site.com/admin/users/create?username=..%2F%2FNijat' # Check for unusual response headers or errors when attempting to create a user with a malicious usernamedisclosure
patch
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-66295 is to immediately upgrade to getgrav/grav version 1.8.0-beta.27 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on the username field within the Admin UI to prevent the injection of path traversal sequences. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block requests containing path traversal patterns (e.g., ..\ or ../) can provide an additional layer of defense. Monitor system logs for suspicious file creation activity outside the expected user/accounts/ directory. There are no specific Sigma or YARA rules available at this time, but monitoring for unexpected YAML file creation is recommended.
Actualice Grav a la versión 1.8.0-beta.27 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos YAML. La actualización evitará la posible toma de control de cuentas y la corrupción del sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66295 is a Path Traversal vulnerability in getgrav/grav allowing attackers to write arbitrary YAML files, potentially exposing sensitive data. It affects versions up to 1.8.0-beta.9.
Yes, if you are running getgrav/grav versions 1.8.0-beta.9 or earlier, you are vulnerable to this Path Traversal attack.
Upgrade getgrav/grav to version 1.8.0-beta.27 or later to remediate the vulnerability. Implement input validation as a temporary workaround.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a high probability of exploitation if left unpatched.
Refer to the official getgrav/grav security advisory for detailed information and updates: [https://getgrav.org/blog/security-advisory-cve-2025-66295](https://getgrav.org/blog/security-advisory-cve-2025-66295)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.