CVE-2025-66299: CWE-94: Improper Control of Generation of Code ('Code Injection') in getgrav grav
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27.
AI Analysis
Technical Summary
CVE-2025-66299 is a Server-Side Template Injection vulnerability affecting Grav CMS, a file-based web platform. The flaw exists in Grav versions prior to 1.8.0-beta.27 and arises from insufficient sandboxing of the Twig templating engine. Authenticated users with editor permissions can inject malicious Twig template directives that interact with the Twig object beyond intended restrictions. Specifically, attackers can add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the sandbox protections. This allows execution of arbitrary code on the server, compromising system confidentiality, integrity, and availability. The vulnerability requires authentication with editor-level privileges but no additional user interaction. The CVSS v3.1 score is 8.8, reflecting network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. While no public exploits are known, the vulnerability poses a significant risk due to the ease of exploitation and potential for full system compromise. The flaw is tracked under CWE-94 (Improper Control of Generation of Code) and CWE-1336 (Improper Control of Dynamically-Generated Code). The issue was publicly disclosed on December 1, 2025, and fixed in Grav version 1.8.0-beta.27.
Potential Impact
For European organizations, this vulnerability presents a critical risk to web infrastructure relying on Grav CMS. Successful exploitation can lead to full server compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Confidentiality of sensitive data stored or processed by Grav sites can be breached, while integrity and availability of web services can be disrupted. Given the network attack vector and low complexity, attackers with editor credentials can quickly exploit this flaw. Organizations in sectors such as government, finance, healthcare, and media that use Grav CMS for public-facing or internal websites are particularly at risk. The vulnerability could also facilitate ransomware deployment or supply chain attacks if Grav is part of a larger web ecosystem. The lack of known exploits currently provides a window for proactive patching and mitigation before widespread abuse occurs.
Mitigation Recommendations
1. Upgrade Grav CMS to version 1.8.0-beta.27 or later immediately to apply the official patch that fixes the vulnerability. 2. Restrict editor permissions strictly to trusted personnel, minimizing the number of users who can exploit this vulnerability. 3. Implement strong authentication mechanisms (e.g., multi-factor authentication) for editor accounts to reduce the risk of credential compromise. 4. Monitor web server and application logs for unusual Twig template activity or unauthorized code execution attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious template injection patterns targeting Twig. 6. Conduct regular security audits and code reviews of custom Grav templates to ensure no unsafe Twig directives are present. 7. Isolate Grav CMS instances in segmented network zones to limit lateral movement if compromise occurs. 8. Educate content editors about the risks of uploading or editing templates and enforce strict content validation policies.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Austria
CVE-2025-66299: CWE-94: Improper Control of Generation of Code ('Code Injection') in getgrav grav
Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27.
AI-Powered Analysis
Technical Analysis
CVE-2025-66299 is a Server-Side Template Injection vulnerability affecting Grav CMS, a file-based web platform. The flaw exists in Grav versions prior to 1.8.0-beta.27 and arises from insufficient sandboxing of the Twig templating engine. Authenticated users with editor permissions can inject malicious Twig template directives that interact with the Twig object beyond intended restrictions. Specifically, attackers can add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the sandbox protections. This allows execution of arbitrary code on the server, compromising system confidentiality, integrity, and availability. The vulnerability requires authentication with editor-level privileges but no additional user interaction. The CVSS v3.1 score is 8.8, reflecting network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. While no public exploits are known, the vulnerability poses a significant risk due to the ease of exploitation and potential for full system compromise. The flaw is tracked under CWE-94 (Improper Control of Generation of Code) and CWE-1336 (Improper Control of Dynamically-Generated Code). The issue was publicly disclosed on December 1, 2025, and fixed in Grav version 1.8.0-beta.27.
Potential Impact
For European organizations, this vulnerability presents a critical risk to web infrastructure relying on Grav CMS. Successful exploitation can lead to full server compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Confidentiality of sensitive data stored or processed by Grav sites can be breached, while integrity and availability of web services can be disrupted. Given the network attack vector and low complexity, attackers with editor credentials can quickly exploit this flaw. Organizations in sectors such as government, finance, healthcare, and media that use Grav CMS for public-facing or internal websites are particularly at risk. The vulnerability could also facilitate ransomware deployment or supply chain attacks if Grav is part of a larger web ecosystem. The lack of known exploits currently provides a window for proactive patching and mitigation before widespread abuse occurs.
Mitigation Recommendations
1. Upgrade Grav CMS to version 1.8.0-beta.27 or later immediately to apply the official patch that fixes the vulnerability. 2. Restrict editor permissions strictly to trusted personnel, minimizing the number of users who can exploit this vulnerability. 3. Implement strong authentication mechanisms (e.g., multi-factor authentication) for editor accounts to reduce the risk of credential compromise. 4. Monitor web server and application logs for unusual Twig template activity or unauthorized code execution attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious template injection patterns targeting Twig. 6. Conduct regular security audits and code reviews of custom Grav templates to ensure no unsafe Twig directives are present. 7. Isolate Grav CMS instances in segmented network zones to limit lateral movement if compromise occurs. 8. Educate content editors about the risks of uploading or editing templates and enforce strict content validation policies.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-11-26T23:11:46.393Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 692e07e33937fa579fd7fc68
Added to database: 12/1/2025, 9:25:55 PM
Last enriched: 12/8/2025, 10:17:02 PM
Last updated: 1/16/2026, 1:36:56 AM
Views: 56
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-65118: CWE-427 in AVEVA Process Optimization
HighCVE-2025-65117: CWE-676 in AVEVA Process Optimization
HighCVE-2025-64769: CWE-319 in AVEVA Process Optimization
HighCVE-2025-64729: CWE-862 in AVEVA Process Optimization
HighCVE-2025-64691: CWE-94 in AVEVA Process Optimization
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.