GHSA-J422-QMXP-HV94

Vulnerability from github – Published: 2025-12-02 00:38 – Updated: 2025-12-02 00:38
VLAI?
Summary
Grav vulnerable to Path Traversal allowing server files backup
Details

Summary

A path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers
 with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due
 to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling
 access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of 
the user account running the application.

PoC

To accurately demonstrate the maximum potential impact of this vulnerability, the testing environment was configured in a specific way:

- Elevated Privileges: The application was run locally with the highest possible system privileges, operating under the **`root`** user account.

- Objective: This configuration was chosen to unequivocally show that the path traversal vulnerability is not just a theoretical issue but can lead to a complete compromise of the underlying host when combined with poor operational practices. The ability to read any file on the system is the ultimate test of the flaw's severity.


Proof of Concept Goal: Under these conditions, the subsequent PoC will exploit the vulnerability to read the SSH private key
 of the `root` user (`/root/.ssh/id_rsa`). The successful exfiltration of this key represents a worst-case scenario, as it would provide 
an attacker with persistent, undetectable, and complete administrative access to the host server. This highlights the critical intersection
 of an application-layer vulnerability and a infrastructure-level misconfiguration.


1- LOGIN AS ADMIN AND  GO TO  : http://127.0.0.1/admin/tools/backups
2- Change 'Root Folder' to backup directory /../../../../../../../root/.ssh/

Screenshot 2025-09-11 161519

3- CLICK  : 'SAVE'
4- CLICK  : 'Backup Now'

Screenshot 2025-09-11 154151

5- Extract Backup :

Screenshot 2025-09-11 160114 Screenshot 2025-09-11 160135

Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:38:41Z",
    "nvd_published_at": "2025-12-01T22:15:49Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n```\nA path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers\n with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due\n to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling\n access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of \nthe user account running the application.\n```\n\n### PoC\n```\nTo accurately demonstrate the maximum potential impact of this vulnerability, the testing environment was configured in a specific way:\n\n- Elevated Privileges: The application was run locally with the highest possible system privileges, operating under the **`root`** user account.\n    \n- Objective: This configuration was chosen to unequivocally show that the path traversal vulnerability is not just a theoretical issue but can lead to a complete compromise of the underlying host when combined with poor operational practices. The ability to read any file on the system is the ultimate test of the flaw\u0027s severity.\n    \n\nProof of Concept Goal: Under these conditions, the subsequent PoC will exploit the vulnerability to read the SSH private key\n of the `root` user (`/root/.ssh/id_rsa`). The successful exfiltration of this key represents a worst-case scenario, as it would provide \nan attacker with persistent, undetectable, and complete administrative access to the host server. This highlights the critical intersection\n of an application-layer vulnerability and a infrastructure-level misconfiguration.\n\n```\n\n\n\n\n```\n1- LOGIN AS ADMIN AND  GO TO  : http://127.0.0.1/admin/tools/backups\n2- Change \u0027Root Folder\u0027 to backup directory /../../../../../../../root/.ssh/ \n\n```\n\u003cimg width=\"1902\" height=\"492\" alt=\"Screenshot 2025-09-11 161519\" src=\"https://github.com/user-attachments/assets/23a60dc3-7758-4e24-b910-e66a1dd1f5e2\" /\u003e\n\n\n\n```\n3- CLICK  : \u0027SAVE\u0027\n4- CLICK  : \u0027Backup Now\u0027\n```\n\n\u003cimg width=\"1916\" height=\"512\" alt=\"Screenshot 2025-09-11 154151\" src=\"https://github.com/user-attachments/assets/88a63ff2-777e-467e-857b-0644ef698499\" /\u003e\n\n```\n5- Extract Backup :\n```\n\n\n\u003cimg width=\"704\" height=\"101\" alt=\"Screenshot 2025-09-11 160114\" src=\"https://github.com/user-attachments/assets/b91ce4db-9843-4280-b8f0-32c73aa12d4d\" /\u003e\n\u003cimg width=\"567\" height=\"101\" alt=\"Screenshot 2025-09-11 160135\" src=\"https://github.com/user-attachments/assets/155ce7d8-c2fc-4b54-b054-f7c7550bec82\" /\u003e",
  "id": "GHSA-j422-qmxp-hv94",
  "modified": "2025-12-02T00:38:41Z",
  "published": "2025-12-02T00:38:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66302"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav vulnerable to Path Traversal allowing server files backup"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.