平台
php
组件
getgrav/grav
修复版本
1.8.1
1.8.0-beta.27
CVE-2025-66299 describes a Server-Side Template Injection (SSTI) vulnerability affecting Grav CMS. This vulnerability allows authenticated users with editor permissions to execute arbitrary code, effectively bypassing the CMS's security sandbox. The issue impacts versions of Grav CMS up to and including 1.8.0-beta.9, and a fix is available in version 1.8.0-beta.27.
The impact of this SSTI vulnerability is significant. An attacker exploiting this flaw can gain remote code execution (RCE) on the server hosting the Grav CMS instance. This allows them to compromise the entire system, potentially leading to data breaches, website defacement, or complete server takeover. The ability to bypass the security sandbox amplifies the risk, as attackers can execute commands that would normally be restricted. Given the potential for complete system compromise, the blast radius is substantial, impacting all data and services hosted on the affected server.
This vulnerability was publicly disclosed on December 2, 2025. While no public exploits have been widely reported, the ease of exploitation inherent in SSTI vulnerabilities suggests a potential for rapid exploitation. The CVSS score of 8.8 (HIGH) indicates a significant risk. It is advisable to monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting Grav CMS instances.
Websites and applications relying on Grav CMS, particularly those with multiple editors or users with elevated privileges, are at risk. Shared hosting environments where multiple Grav CMS instances share the same server are also particularly vulnerable, as a compromise of one instance could potentially lead to the compromise of others.
• php: Examine Grav CMS template files for suspicious code, particularly those involving user input. Look for attempts to execute arbitrary PHP code within template directives.
• linux / server: Monitor system logs (e.g., /var/log/apache2/error.log, /var/log/syslog) for unusual PHP errors or command execution attempts originating from Grav CMS.
• generic web: Use curl to test template endpoints with simple payloads like {{ config.system.uri_scheme }} and observe the response for unexpected output.
• database (mysql): If Grav CMS uses a database, check for unusual entries or modifications in the database that could indicate an attacker has gained access and is attempting to persist malicious code.
disclosure
漏洞利用状态
EPSS
0.10% (28% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-66299 is to immediately upgrade Grav CMS to version 1.8.0-beta.27 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct WAF rule to prevent SSTI is complex, restricting user input within templates and carefully reviewing editor permissions can reduce the attack surface. Regularly scan templates for potentially dangerous code snippets. After upgrading, verify the fix by attempting to inject a simple template payload (e.g., {{ config.system.uri_scheme }}) and confirming that it does not execute arbitrary code.
Actualice Grav CMS a la versión 1.8.0-beta.27 o superior. Esta versión contiene la corrección para la vulnerabilidad de Server-Side Template Injection (SSTI). La actualización evitará la ejecución de código arbitrario en el servidor.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-66299 is a Server-Side Template Injection vulnerability in Grav CMS versions up to 1.8.0-beta.9, allowing authenticated users with editor permissions to execute arbitrary code.
Yes, if you are running Grav CMS versions 1.8.0-beta.9 or earlier, you are vulnerable to this SSTI vulnerability.
Upgrade Grav CMS to version 1.8.0-beta.27 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for rapid exploitation. Monitor security advisories.
Refer to the official Grav CMS security advisories and release notes on the Grav CMS website for detailed information and updates.