Platform
php
Component
getgrav/grav
Fixed in
1.8.1
1.8.0-beta.27
CVE-2025-66295 is a Path Traversal vulnerability discovered in getgrav/grav, a PHP-based flat-file CMS. An attacker can exploit this flaw by crafting a malicious username during user creation within the Admin UI, leading to arbitrary file writes. This can expose sensitive configuration data and potentially compromise the entire system. The vulnerability affects versions of getgrav/grav up to 1.8.0-beta.9, and a fix is available in version 1.8.0-beta.27.
The primary impact of CVE-2025-66295 lies in the ability of an attacker to write arbitrary YAML files on the server. This is achieved by injecting path traversal sequences (e.g., ..\Nijat or ../Nijat) into the username field during user creation. The attacker can then control the path where the account YAML file is written, potentially overwriting critical system configuration files like email.yaml, system.yaml, or admin.yaml. Successful exploitation could lead to unauthorized access, modification of site settings, and even complete system compromise. The ability to overwrite configuration files allows for persistent backdoors and further malicious activity. This vulnerability shares similarities with other path traversal exploits where attackers leverage directory traversal sequences to bypass access controls.
CVE-2025-66295 was publicly disclosed on December 2, 2025. No KEV listing is currently available. There are no known public proof-of-concept exploits at this time, but the vulnerability's ease of exploitation suggests a high probability of exploitation if left unpatched. The NVD entry was published on the same date as the public disclosure.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66295 is to immediately upgrade getgrav/grav to version 1.8.0-beta.27 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on the username field within the Admin UI to prevent path traversal sequences. While not a complete solution, a Web Application Firewall (WAF) could be configured to block requests containing suspicious path traversal patterns in the username parameter. Monitor system logs for unusual file creation activity, particularly in the user/accounts/ directory and other sensitive locations. After upgrading, confirm the fix by attempting to create a user with a username containing path traversal sequences and verifying that the account YAML file is not written to an unintended location.
Actualice Grav a la versión 1.8.0-beta.27 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos YAML. La actualización evitará la posible toma de control de cuentas y la corrupción del sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66295 is a Path Traversal vulnerability in getgrav/grav allowing attackers to write arbitrary YAML files, potentially exposing sensitive data. It affects versions up to 1.8.0-beta.9.
Yes, if you are running getgrav/grav versions 1.8.0-beta.9 or earlier, you are vulnerable to this Path Traversal attack.
Upgrade getgrav/grav to version 1.8.0-beta.27 or later to remediate the vulnerability. Implement input validation as a temporary workaround.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a high probability of exploitation if left unpatched.
Refer to the official getgrav/grav security advisory for detailed information and updates: [https://getgrav.org/blog/security-advisory-cve-2025-66295](https://getgrav.org/blog/security-advisory-cve-2025-66295)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.