CVE-2025-66299: CWE-94: Improper Control of Generation of Code ('Code Injection') in getgrav grav
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27.
AI Analysis
Technical Summary
CVE-2025-66299 is a Server-Side Template Injection vulnerability affecting Grav CMS, a file-based web platform, in versions prior to 1.8.0-beta.27. The vulnerability stems from improper control over code generation (CWE-94) and insufficient sandboxing of the Twig templating engine (CWE-1336). Authenticated users with editor-level permissions can inject malicious Twig template directives that interact directly with the Twig object, bypassing the security sandbox. This manipulation allows attackers to call methods and read or write attributes on the Twig object, including adding arbitrary functions to the safe_filters attribute, effectively circumventing sandbox restrictions. As a result, attackers can execute arbitrary code on the server, leading to full system compromise. The vulnerability requires authentication but no additional user interaction, and the attack surface includes any web page editable by an editor. The CVSS v3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and privileges required. Although no exploits are currently known in the wild, the vulnerability is critical due to the potential for remote code execution. The issue is resolved in Grav CMS version 1.8.0-beta.27, which properly enforces sandbox restrictions on the Twig object. Organizations using Grav CMS should prioritize patching and review editor permissions to mitigate risk.
Potential Impact
For European organizations, this vulnerability poses a significant risk to web infrastructure relying on Grav CMS. Successful exploitation can lead to arbitrary code execution on web servers, resulting in data breaches, defacement, service disruption, or use of compromised servers as pivot points for further attacks. Confidential information stored or processed by the CMS can be exposed or altered, undermining data integrity and privacy compliance obligations such as GDPR. Availability may be impacted through denial-of-service or ransomware deployment. Since the vulnerability requires authenticated editor access, organizations with weak access controls or extensive editor privileges are particularly vulnerable. The risk is heightened in sectors with critical web presence such as government, finance, healthcare, and media. Additionally, the ability to bypass sandbox protections increases the likelihood of sophisticated attacks that evade detection by conventional security controls.
Mitigation Recommendations
1. Upgrade all Grav CMS instances to version 1.8.0-beta.27 or later immediately to apply the security fix. 2. Audit and restrict editor permissions to the minimum necessary, ensuring only trusted users have editing capabilities. 3. Implement strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of compromised editor accounts. 4. Monitor web server logs and CMS activity for unusual template modifications or suspicious behavior indicative of exploitation attempts. 5. Employ web application firewalls (WAFs) with custom rules to detect and block malicious Twig template injections. 6. Regularly review and harden CMS configurations, disabling unnecessary features that could be exploited. 7. Conduct security awareness training for content editors to recognize phishing and credential theft attempts. 8. Maintain regular backups of CMS content and server configurations to enable rapid recovery in case of compromise.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2025-66299: CWE-94: Improper Control of Generation of Code ('Code Injection') in getgrav grav
Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27.
AI-Powered Analysis
Technical Analysis
CVE-2025-66299 is a Server-Side Template Injection vulnerability affecting Grav CMS, a file-based web platform, in versions prior to 1.8.0-beta.27. The vulnerability stems from improper control over code generation (CWE-94) and insufficient sandboxing of the Twig templating engine (CWE-1336). Authenticated users with editor-level permissions can inject malicious Twig template directives that interact directly with the Twig object, bypassing the security sandbox. This manipulation allows attackers to call methods and read or write attributes on the Twig object, including adding arbitrary functions to the safe_filters attribute, effectively circumventing sandbox restrictions. As a result, attackers can execute arbitrary code on the server, leading to full system compromise. The vulnerability requires authentication but no additional user interaction, and the attack surface includes any web page editable by an editor. The CVSS v3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and privileges required. Although no exploits are currently known in the wild, the vulnerability is critical due to the potential for remote code execution. The issue is resolved in Grav CMS version 1.8.0-beta.27, which properly enforces sandbox restrictions on the Twig object. Organizations using Grav CMS should prioritize patching and review editor permissions to mitigate risk.
Potential Impact
For European organizations, this vulnerability poses a significant risk to web infrastructure relying on Grav CMS. Successful exploitation can lead to arbitrary code execution on web servers, resulting in data breaches, defacement, service disruption, or use of compromised servers as pivot points for further attacks. Confidential information stored or processed by the CMS can be exposed or altered, undermining data integrity and privacy compliance obligations such as GDPR. Availability may be impacted through denial-of-service or ransomware deployment. Since the vulnerability requires authenticated editor access, organizations with weak access controls or extensive editor privileges are particularly vulnerable. The risk is heightened in sectors with critical web presence such as government, finance, healthcare, and media. Additionally, the ability to bypass sandbox protections increases the likelihood of sophisticated attacks that evade detection by conventional security controls.
Mitigation Recommendations
1. Upgrade all Grav CMS instances to version 1.8.0-beta.27 or later immediately to apply the security fix. 2. Audit and restrict editor permissions to the minimum necessary, ensuring only trusted users have editing capabilities. 3. Implement strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of compromised editor accounts. 4. Monitor web server logs and CMS activity for unusual template modifications or suspicious behavior indicative of exploitation attempts. 5. Employ web application firewalls (WAFs) with custom rules to detect and block malicious Twig template injections. 6. Regularly review and harden CMS configurations, disabling unnecessary features that could be exploited. 7. Conduct security awareness training for content editors to recognize phishing and credential theft attempts. 8. Maintain regular backups of CMS content and server configurations to enable rapid recovery in case of compromise.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-11-26T23:11:46.393Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 692e07e33937fa579fd7fc68
Added to database: 12/1/2025, 9:25:55 PM
Last enriched: 12/1/2025, 9:41:13 PM
Last updated: 12/1/2025, 10:36:01 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-66403: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in error311 FileRise
MediumCVE-2025-66400: CWE-20: Improper Input Validation in syntax-tree mdast-util-to-hast
MediumCVE-2025-66313: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in ChurchCRM CRM
MediumCVE-2025-66307: CWE-204: Observable Response Discrepancy in getgrav grav
MediumCVE-2025-66308: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in getgrav grav
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.