cvelistv5 - cve-2025-66295

CVE-2025-66295 (GCVE-0-2025-66295)

Vulnerability from cvelistv5 – Published: 2025-12-01 20:46 – Updated: 2025-12-02 14:04

Title

Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption

Summary

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/getgrav/grav/security/advisori…	x_refsource_CONFIRM
	https://github.com/getgrav/grav/commit/3462d94d57…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	getgrav	grav	Affected: < 1.8.0-beta.27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66295",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T14:04:26.033361Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T14:04:38.344Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grav",
          "vendor": "getgrav",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.0-beta.27"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T20:46:56.726Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv"
        },
        {
          "name": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741"
        }
      ],
      "source": {
        "advisory": "GHSA-h756-wh59-hhjv",
        "discovery": "UNKNOWN"
      },
      "title": "Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66295",
    "datePublished": "2025-12-01T20:46:56.726Z",
    "dateReserved": "2025-11-26T23:11:46.393Z",
    "dateUpdated": "2025-12-02T14:04:38.344Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-66295\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-01T21:15:53.000\",\"lastModified\":\"2025-12-04T18:34:22.470\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.7.49.5\",\"versionEndExcluding\":\"1.8.0\",\"matchCriteriaId\":\"4F55C0B3-A41D-4E64-A631-E4868A40A8A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A383F2E-C6BA-440B-B648-A3313B7D91C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7EF2DEC-2798-4D0D-9C27-0F01BAFEAEFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*\",\"matchCriteriaId\":\"530C6F64-F30B-4E93-9A12-D9625EA57483\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*\",\"matchCriteriaId\":\"9AC28BF9-626D-4514-91F0-F81DAB5D3602\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*\",\"matchCriteriaId\":\"307AA375-E531-4AE5-BA79-2F9D4DE7A05F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2E3E312-485D-42B0-B465-64B6438CDCAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*\",\"matchCriteriaId\":\"5BE4B2F9-1B6D-4D18-916A-5C95A3213222\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*\",\"matchCriteriaId\":\"763207F0-92D1-4274-A30A-DE634C5852C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*\",\"matchCriteriaId\":\"1DE8F350-BA07-4DAA-AE4B-5E0A532B6828\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9150B94-0DF3-43F3-9806-39787A6C0E4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*\",\"matchCriteriaId\":\"BAA7C7EC-8FB2-445D-8A02-1743D87F5416\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A6BEA2A-D534-4C9E-811A-8A46E214C46D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A644F57-FF39-4262-9796-7C4F3B0851C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2AFB9E7-084E-497B-B0FC-CA6A5033C5BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C5E8823-9083-4FFA-9897-CAD0340DCE68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C048938-E0EC-4AD0-9847-FD74E6770FE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7B43876-1445-418A-9707-E692FDF62C4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*\",\"matchCriteriaId\":\"94B209DE-01C6-41BA-B912-CF57849A9F7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB53AA10-87A5-4010-8019-BF4AA5ABC12B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"775E0913-F3EF-4A55-B162-5BF9C6E2E641\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C3E022E-35CB-40AD-959A-F39949E38BD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"8779C813-A81A-4E21-AB86-6193933568BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B608EDD4-207A-41A7-A60D-496FDA8EAFEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"AE1F2253-3EE0-4ADD-B8A5-C882A60FC626\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta8:*:*:*:*:*:*\",\"matchCriteriaId\":\"81D4C859-5560-42F1-ACD9-65210E523F28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta9:*:*:*:*:*:*\",\"matchCriteriaId\":\"156707A7-9507-4AC1-9CD0-90E32836E9DF\"}]}]}],\"references\":[{\"url\":\"https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66295\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-02T14:04:26.033361Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-02T14:04:32.897Z\"}}], \"cna\": {\"title\": \"Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption\", \"source\": {\"advisory\": \"GHSA-h756-wh59-hhjv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"getgrav\", \"product\": \"grav\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.8.0-beta.27\"}]}], \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741\", \"name\": \"https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-01T20:46:56.726Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-66295\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-02T14:04:38.344Z\", \"dateReserved\": \"2025-11-26T23:11:46.393Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-01T20:46:56.726Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CNVD-2025-30349

Vulnerability from cnvd - Published: 2025-12-09

Title

Grav路径遍历漏洞

Description

Grav是一套可扩展的用于个人博客、小型内容发布平台和单页产品展示的CMS（内容管理系统）。 Grav存在路径遍历漏洞，该漏洞源于路径遍历序列导致账户YAML文件写入错误路径。攻击者可利用该漏洞导致机密性、完整性和可用性受影响。

Severity

高

Patch Name

Grav路径遍历漏洞的补丁

Patch Description

Grav是一套可扩展的用于个人博客、小型内容发布平台和单页产品展示的CMS（内容管理系统）。 Grav存在路径遍历漏洞，该漏洞源于路径遍历序列导致账户YAML文件写入错误路径。攻击者可利用该漏洞导致机密性、完整性和可用性受影响。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网: https://getgrav.org/downloads

Reference

https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741

Impacted products

Name
Grav Grav <1.8.0-beta.27

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-66295",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-66295"
    }
  },
  "description": "Grav\u662f\u4e00\u5957\u53ef\u6269\u5c55\u7684\u7528\u4e8e\u4e2a\u4eba\u535a\u5ba2\u3001\u5c0f\u578b\u5185\u5bb9\u53d1\u5e03\u5e73\u53f0\u548c\u5355\u9875\u4ea7\u54c1\u5c55\u793a\u7684CMS\uff08\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff09\u3002\n\nGrav\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8def\u5f84\u904d\u5386\u5e8f\u5217\u5bfc\u81f4\u8d26\u6237YAML\u6587\u4ef6\u5199\u5165\u9519\u8bef\u8def\u5f84\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u673a\u5bc6\u6027\u3001\u5b8c\u6574\u6027\u548c\u53ef\u7528\u6027\u53d7\u5f71\u54cd\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51:\r\nhttps://getgrav.org/downloads",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-30349",
  "openTime": "2025-12-09",
  "patchDescription": "Grav\u662f\u4e00\u5957\u53ef\u6269\u5c55\u7684\u7528\u4e8e\u4e2a\u4eba\u535a\u5ba2\u3001\u5c0f\u578b\u5185\u5bb9\u53d1\u5e03\u5e73\u53f0\u548c\u5355\u9875\u4ea7\u54c1\u5c55\u793a\u7684CMS\uff08\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff09\u3002\r\n\r\nGrav\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8def\u5f84\u904d\u5386\u5e8f\u5217\u5bfc\u81f4\u8d26\u6237YAML\u6587\u4ef6\u5199\u5165\u9519\u8bef\u8def\u5f84\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u673a\u5bc6\u6027\u3001\u5b8c\u6574\u6027\u548c\u53ef\u7528\u6027\u53d7\u5f71\u54cd\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Grav\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Grav Grav \u003c1.8.0-beta.27"
  },
  "referenceLink": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741",
  "serverity": "\u9ad8",
  "submitTime": "2025-12-03",
  "title": "Grav\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

FKIE_CVE-2025-66295

Vulnerability from fkie_nvd - Published: 2025-12-01 21:15 - Updated: 2025-12-04 18:34

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741	Patch
	security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv	Vendor Advisory

Impacted products

Vendor	Product	Version
getgrav	grav	*
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4F55C0B3-A41D-4E64-A631-E4868A40A8A5",
              "versionEndExcluding": "1.8.0",
              "versionStartIncluding": "1.7.49.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "8A383F2E-C6BA-440B-B648-A3313B7D91C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*",
              "matchCriteriaId": "F7EF2DEC-2798-4D0D-9C27-0F01BAFEAEFD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*",
              "matchCriteriaId": "530C6F64-F30B-4E93-9A12-D9625EA57483",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*",
              "matchCriteriaId": "9AC28BF9-626D-4514-91F0-F81DAB5D3602",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*",
              "matchCriteriaId": "307AA375-E531-4AE5-BA79-2F9D4DE7A05F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*",
              "matchCriteriaId": "C2E3E312-485D-42B0-B465-64B6438CDCAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*",
              "matchCriteriaId": "5BE4B2F9-1B6D-4D18-916A-5C95A3213222",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*",
              "matchCriteriaId": "763207F0-92D1-4274-A30A-DE634C5852C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*",
              "matchCriteriaId": "1DE8F350-BA07-4DAA-AE4B-5E0A532B6828",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*",
              "matchCriteriaId": "F9150B94-0DF3-43F3-9806-39787A6C0E4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*",
              "matchCriteriaId": "BAA7C7EC-8FB2-445D-8A02-1743D87F5416",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "7A6BEA2A-D534-4C9E-811A-8A46E214C46D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*",
              "matchCriteriaId": "7A644F57-FF39-4262-9796-7C4F3B0851C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*",
              "matchCriteriaId": "B2AFB9E7-084E-497B-B0FC-CA6A5033C5BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*",
              "matchCriteriaId": "5C5E8823-9083-4FFA-9897-CAD0340DCE68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*",
              "matchCriteriaId": "9C048938-E0EC-4AD0-9847-FD74E6770FE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*",
              "matchCriteriaId": "F7B43876-1445-418A-9707-E692FDF62C4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*",
              "matchCriteriaId": "94B209DE-01C6-41BA-B912-CF57849A9F7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*",
              "matchCriteriaId": "AB53AA10-87A5-4010-8019-BF4AA5ABC12B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "775E0913-F3EF-4A55-B162-5BF9C6E2E641",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "3C3E022E-35CB-40AD-959A-F39949E38BD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "8779C813-A81A-4E21-AB86-6193933568BC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta6:*:*:*:*:*:*",
              "matchCriteriaId": "B608EDD4-207A-41A7-A60D-496FDA8EAFEA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta7:*:*:*:*:*:*",
              "matchCriteriaId": "AE1F2253-3EE0-4ADD-B8A5-C882A60FC626",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta8:*:*:*:*:*:*",
              "matchCriteriaId": "81D4C859-5560-42F1-ACD9-65210E523F28",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta9:*:*:*:*:*:*",
              "matchCriteriaId": "156707A7-9507-4AC1-9CD0-90E32836E9DF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27."
    }
  ],
  "id": "CVE-2025-66295",
  "lastModified": "2025-12-04T18:34:22.470",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-01T21:15:53.000",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-H756-WH59-HHJV

Vulnerability from github – Published: 2025-12-02 01:23 – Updated: 2025-12-02 01:23

Summary

Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption

Details

Summary

When a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. In my tests, I was able to cause the Admin UI to write the following content into arbitrary .yaml files (including files like email.yaml, system.yaml, or other site YAML files like admin.yaml) — demonstrating arbitrary YAML write / overwrite via the Admin UI.

Example observed content written by the Admin UI (test data): username: ..\Nijat state: enabled email: EMAIL@gmail.com fullname: 'Nijat Alizada' language: en content_editor: default twofa_enabled: false twofa_secret: RWVEIHC2AFVD6FCR6UHCO3DS4HWXKKDT avatar: { } hashed_password: $2y$10$wl9Ktv3vUmDKCt8o6u2oOuRZr1I04OE0YZf2sJ1QcAherbNnk1XVC access: site: login: true

Steps to Reproduce

Log in to the Grav Admin UI as an administrator.
Create a new user with the following values (example): a. Username: ..\POC-TOKEN-2025-09-29 b. Fullname: POC-TOKEN-2025-09-29 c. Email: poc+2025-09-29@example.test d. Password: (any password) Observe that a YAML file containing the POC-TOKEN is written outside user/accounts/ (for example in the parent directory of user/accounts)

Impact

Config corruption / service disruption: Overwriting system.yaml, email.yaml, or plugin config files with attacker-controlled YAML (even if limited to fields present in account YAML) could break functionality, disable services, or cause misconfiguration requiring recovery from backups.
Account takeover, any user with create user privilege can modify other user's email and password by just creating a new user with the name "..\accounts\USERNAME_OF_VICTIM"

Proof of Concept

https://github.com/user-attachments/assets/cf503d74-f765-4031-8e22-71f6b3630847

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T01:23:05Z",
    "nvd_published_at": "2025-12-01T21:15:53Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. In my tests,  I was able to cause the Admin UI to write the following content into arbitrary .yaml files (including files like email.yaml, system.yaml, or other site YAML files like admin.yaml) \u2014 demonstrating arbitrary YAML write / overwrite via the Admin UI.\n\nExample observed content written by the Admin UI (test data):\nusername: ..\\Nijat\nstate: enabled\nemail: [EMAIL@gmail.com](mailto:EMAIL@gmail.com)\nfullname: \u0027Nijat Alizada\u0027\nlanguage: en\ncontent_editor: default\ntwofa_enabled: false\ntwofa_secret: RWVEIHC2AFVD6FCR6UHCO3DS4HWXKKDT\navatar: { }\nhashed_password: $2y$10$wl9Ktv3vUmDKCt8o6u2oOuRZr1I04OE0YZf2sJ1QcAherbNnk1XVC\naccess:\nsite:\nlogin: true\n\n\n### Steps to Reproduce\n1. Log in to the Grav Admin UI as an administrator.\n2. Create a new user with the following values (example):\n        a. Username: ..\\POC-TOKEN-2025-09-29\n        b. Fullname: POC-TOKEN-2025-09-29\n        c. Email: poc+2025-09-29@example.test\n        d. Password: (any password)\nObserve that a YAML file containing the POC-TOKEN is written outside user/accounts/ (for example in the parent directory of user/accounts)\n\n\n### Impact\n1. Config corruption / service disruption: Overwriting system.yaml, email.yaml, or plugin config files with attacker-controlled YAML (even if limited to fields present in account YAML) could break functionality, disable services, or cause misconfiguration requiring recovery from backups.\n2. Account takeover, any user with create user privilege can modify other user\u0027s email and password by just creating a new user with the name \"..\\accounts\\USERNAME_OF_VICTIM\"\n\n\n### Proof of Concept\nhttps://github.com/user-attachments/assets/cf503d74-f765-4031-8e22-71f6b3630847",
  "id": "GHSA-h756-wh59-hhjv",
  "modified": "2025-12-02T01:23:05Z",
  "published": "2025-12-02T01:23:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66295"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-66295 (GCVE-0-2025-66295)

CNVD-2025-30349

FKIE_CVE-2025-66295

GHSA-H756-WH59-HHJV

Summary

Steps to Reproduce

Impact

Proof of Concept

Tags

Sightings

Nomenclature