GHSA-8535-HVM8-2HMV

Vulnerability from github – Published: 2025-12-02 01:25 – Updated: 2025-12-02 01:25
VLAI?
Summary
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
Details

Summary

Having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details.

PoC

Create a simple form with two fields, 'registration-number' and 'hp'. Add a submit button and set the method to POST(screenshot attached below). Form name set to 'hero-form'. Send a POST request with the following payload and you will notice a response with a php array listing the whole Grav configuration details - including plugins(screenshot attached).

registration-number:d643aaaa

hp:vJyifp

form-name:hero-form

unique_form_id:{{var_dump(_context|slice(0,7))}}

Screenshot 2025-03-25 at 7 26 02 AM

Screenshot 2025-03-25 at 7 22 58 AM

Impact

Server-Side Template (SST) vulnerability. The vulnerability affects the latest Grav version as of 25th of Match 2025 (1.7.48) with all plugins installed (including forms plugin v.7.4.2) to their latest versions as well.

Severity ?
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T01:25:33Z",
    "nvd_published_at": "2025-12-01T22:15:49Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nHaving a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details.\n\n### PoC\nCreate a simple form with two fields, \u0027registration-number\u0027 and \u0027hp\u0027. Add a submit button and set the method to POST(screenshot attached below). Form name set to \u0027hero-form\u0027. Send a POST request with the following payload and you will notice a response with a php array listing the whole Grav configuration details - including plugins(screenshot attached).\n\nregistration-number:d643aaaa\n\nhp:vJyifp\n\n__form-name__:hero-form\n\n__unique_form_id__:{{var_dump(_context|slice(0,7))}}\n\n\n![Screenshot 2025-03-25 at 7 26 02\u202fAM](https://github.com/user-attachments/assets/b92b099b-c07a-4ea2-a3f9-47361ceb9355)\n\n![Screenshot 2025-03-25 at 7 22 58\u202fAM](https://github.com/user-attachments/assets/d9146fd3-5887-4bf8-87d9-78f43ade91c8)\n\n\n### Impact\nServer-Side Template (SST) vulnerability. The vulnerability affects the latest Grav version as of 25th of Match 2025 (1.7.48) with all plugins installed (including forms plugin v.7.4.2) to their latest versions as well.",
  "id": "GHSA-8535-hvm8-2hmv",
  "modified": "2025-12-02T01:25:33Z",
  "published": "2025-12-02T01:25:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66298"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.