GHSA-H756-WH59-HHJV

Vulnerability from github – Published: 2025-12-02 01:23 – Updated: 2025-12-02 01:23
VLAI?
Summary
Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
Details

Summary

When a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. In my tests, I was able to cause the Admin UI to write the following content into arbitrary .yaml files (including files like email.yaml, system.yaml, or other site YAML files like admin.yaml) — demonstrating arbitrary YAML write / overwrite via the Admin UI.

Example observed content written by the Admin UI (test data): username: ..\Nijat state: enabled email: EMAIL@gmail.com fullname: 'Nijat Alizada' language: en content_editor: default twofa_enabled: false twofa_secret: RWVEIHC2AFVD6FCR6UHCO3DS4HWXKKDT avatar: { } hashed_password: $2y$10$wl9Ktv3vUmDKCt8o6u2oOuRZr1I04OE0YZf2sJ1QcAherbNnk1XVC access: site: login: true

Steps to Reproduce

  1. Log in to the Grav Admin UI as an administrator.
  2. Create a new user with the following values (example): a. Username: ..\POC-TOKEN-2025-09-29 b. Fullname: POC-TOKEN-2025-09-29 c. Email: poc+2025-09-29@example.test d. Password: (any password) Observe that a YAML file containing the POC-TOKEN is written outside user/accounts/ (for example in the parent directory of user/accounts)

Impact

  1. Config corruption / service disruption: Overwriting system.yaml, email.yaml, or plugin config files with attacker-controlled YAML (even if limited to fields present in account YAML) could break functionality, disable services, or cause misconfiguration requiring recovery from backups.
  2. Account takeover, any user with create user privilege can modify other user's email and password by just creating a new user with the name "..\accounts\USERNAME_OF_VICTIM"

Proof of Concept

https://github.com/user-attachments/assets/cf503d74-f765-4031-8e22-71f6b3630847

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T01:23:05Z",
    "nvd_published_at": "2025-12-01T21:15:53Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. In my tests,  I was able to cause the Admin UI to write the following content into arbitrary .yaml files (including files like email.yaml, system.yaml, or other site YAML files like admin.yaml) \u2014 demonstrating arbitrary YAML write / overwrite via the Admin UI.\n\nExample observed content written by the Admin UI (test data):\nusername: ..\\Nijat\nstate: enabled\nemail: [EMAIL@gmail.com](mailto:EMAIL@gmail.com)\nfullname: \u0027Nijat Alizada\u0027\nlanguage: en\ncontent_editor: default\ntwofa_enabled: false\ntwofa_secret: RWVEIHC2AFVD6FCR6UHCO3DS4HWXKKDT\navatar: { }\nhashed_password: $2y$10$wl9Ktv3vUmDKCt8o6u2oOuRZr1I04OE0YZf2sJ1QcAherbNnk1XVC\naccess:\nsite:\nlogin: true\n\n\n### Steps to Reproduce\n1. Log in to the Grav Admin UI as an administrator.\n2. Create a new user with the following values (example):\n        a. Username: ..\\POC-TOKEN-2025-09-29\n        b. Fullname: POC-TOKEN-2025-09-29\n        c. Email: poc+2025-09-29@example.test\n        d. Password: (any password)\nObserve that a YAML file containing the POC-TOKEN is written outside user/accounts/ (for example in the parent directory of user/accounts)\n\n\n### Impact\n1. Config corruption / service disruption: Overwriting system.yaml, email.yaml, or plugin config files with attacker-controlled YAML (even if limited to fields present in account YAML) could break functionality, disable services, or cause misconfiguration requiring recovery from backups.\n2. Account takeover, any user with create user privilege can modify other user\u0027s email and password by just creating a new user with the name \"..\\accounts\\USERNAME_OF_VICTIM\"\n\n\n### Proof of Concept\nhttps://github.com/user-attachments/assets/cf503d74-f765-4031-8e22-71f6b3630847",
  "id": "GHSA-h756-wh59-hhjv",
  "modified": "2025-12-02T01:23:05Z",
  "published": "2025-12-02T01:23:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66295"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.