CVE-2025-66301

CriticalPublic PoC

Published: 01 December 2025

Published

01 December 2025

Modified

03 December 2025

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.2622 96.3th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to…

change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing low-privileged editors from modifying critical YAML frontmatter fields via admin POST requests.

AC-6 Least Privilege good match

prevent

AC-6 applies least privilege to restrict editor roles from accessing or altering sensitive form process configurations in page YAML.

CM-5 Access Restrictions for Change partial match

prevent

CM-5 restricts access to changes in system components like page files and YAML headers, mitigating unauthorized modifications by low-privileged users.

Security SummaryAI

CVE-2025-66301 is an improper authorization vulnerability (CWE-285) affecting Grav, a file-based web platform, in versions prior to 1.8.0-beta.27. The issue arises from inadequate checks when handling POST requests to /admin/pages/{page_name}, allowing modification of critical fields. Specifically, an authenticated editor can alter the YAML frontmatter in data[_json][header][form], including the process section that controls post-submission form behavior and enables potentially dangerous actions.

The vulnerability can be exploited over the network (AV:N) with low complexity (AC:L), requiring low privileges (PR:L) such as editor access for basic content changes, without user interaction (UI:N). Successful exploitation changes the scope (S:C) and grants high confidentiality (C:H) and integrity (I:H) impacts, with no availability impact (A:N), earning a CVSS v3.1 base score of 9.6. Attackers with editor permissions can reconfigure form processing logic to perform unauthorized actions, potentially chaining into additional vulnerabilities.

The Grav security advisory (GHSA-v8x2-fjv7-8hjh) confirms the issue is fixed in version 1.8.0-beta.27, recommending immediate upgrades for affected installations.

Details

CWE(s): CWE-285

Affected Products

getgrav

grav

1.8.0 · ≤ 1.8.0

MITRE ATT&CK Enterprise TechniquesAI

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

Broken access control allows an authenticated editor to modify YAML frontmatter in page forms, enabling server-side template injection (SSTI) via malicious Twig payloads in the process section, potentially leading to code execution.

References

https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh
Exploit, Third Party Advisory · security-advisories@github.com
https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0