CVE-2025-66295 is a path traversal vulnerability classified under CWE-22 that affects Grav, a popular file-based web content management system. The flaw exists in versions prior to 1.8.0-beta.27 and is triggered when a user with the privilege to create new users inputs a username containing path traversal sequences (e.g., '..\Nijat' or '../Nijat') via the Admin UI. Instead of restricting file writes to the designated user/accounts/ directory, Grav improperly processes the pathname and writes the YAML account file outside this directory. These YAML files contain sensitive account information such as email addresses, full names, two-factor authentication secrets, and hashed passwords. Exploiting this vulnerability could allow an attacker with user creation privileges to overwrite or create arbitrary files on the server, potentially leading to privilege escalation, unauthorized access, or denial of service. The vulnerability is remotely exploitable over the network without user interaction but requires authenticated access with user creation rights. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability poses a significant risk to Grav installations that have not been updated to version 1.8.0-beta.27 or later.

For European organizations, this vulnerability could lead to severe consequences including unauthorized access to user accounts, leakage of sensitive user data, and potential full compromise of Grav-based web platforms. Since Grav is used to manage website content and user accounts, exploitation could allow attackers to manipulate website content, create backdoors, or disrupt services. This can damage organizational reputation, lead to data breaches under GDPR regulations, and cause operational downtime. Organizations that rely on Grav for critical public-facing websites or internal portals are particularly at risk. The requirement for authenticated user creation privileges limits exposure somewhat, but insider threats or compromised accounts could still exploit this flaw. The high CVSS score indicates that the vulnerability can have a broad and damaging impact on confidentiality, integrity, and availability of affected systems.

1. Upgrade Grav installations to version 1.8.0-beta.27 or later immediately to apply the official fix. 2. Restrict user creation privileges strictly to trusted administrators and monitor account creation activities for suspicious patterns. 3. Implement input validation and sanitization on usernames at the application or web server level to block path traversal sequences. 4. Conduct regular audits of file system permissions to ensure that Grav cannot write outside intended directories. 5. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts in user creation requests. 6. Monitor logs for anomalous file write operations or unexpected account file locations. 7. Educate administrators about the risks of path traversal and the importance of privilege management. 8. Consider isolating Grav instances in containerized or sandboxed environments to limit potential damage from exploitation.