CVE-2025-66300 is a path traversal vulnerability classified under CWE-22, discovered in the Grav CMS platform prior to version 1.8.0-beta.27. Grav is a flat-file CMS that stores content and configuration in files rather than a database. The vulnerability arises because a low-privilege user with page editing permissions can exploit the 'Frontmatter' form to perform directory traversal attacks, allowing them to read arbitrary files on the server. Specifically, attackers can access Grav user account files located at /grav/user/accounts/*.yaml, which contain sensitive information such as hashed passwords, two-factor authentication (2FA) secrets, and password reset tokens. By reading these files, an attacker can either crack the hashed passwords offline or use the password reset tokens to hijack accounts, effectively escalating their privileges and gaining unauthorized access. The vulnerability requires no user interaction beyond having page editing privileges, making it easier to exploit in environments where such privileges are granted to multiple users. The CVSS v3.1 score is 8.5 (high), reflecting the network attack vector, low attack complexity, required privileges, no user interaction, and a significant confidentiality impact with limited integrity and availability impact. The flaw has been patched in Grav version 1.8.0-beta.27, and no known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of improper input validation and insufficient restriction of file path access in web applications, especially those that rely on file-based storage.

For European organizations using Grav CMS, this vulnerability poses a significant risk to the confidentiality of user credentials and sensitive authentication data. Successful exploitation can lead to unauthorized account takeovers, including administrative accounts, resulting in potential data breaches, defacement, or further lateral movement within the affected environment. Organizations handling sensitive or regulated data (e.g., personal data under GDPR) face compliance risks and reputational damage if exploited. The ability to read password reset tokens and 2FA secrets undermines multi-factor authentication protections, increasing the likelihood of persistent unauthorized access. Although the vulnerability does not directly impact system integrity or availability, the indirect consequences of account compromise can lead to data manipulation or service disruption. European entities with public-facing Grav installations, especially those with multiple content editors or contributors, are at heightened risk. The lack of known exploits in the wild suggests a window of opportunity for proactive patching before widespread attacks occur.

1. Upgrade Grav CMS installations to version 1.8.0-beta.27 or later immediately to apply the official patch addressing this vulnerability. 2. Audit and restrict page editing privileges to only trusted and necessary users to minimize the attack surface. 3. Implement strict access controls and monitoring on the /grav/user/accounts/ directory to detect unauthorized access attempts. 4. Employ web application firewalls (WAFs) with rules to detect and block path traversal patterns targeting the Frontmatter form. 5. Conduct regular security reviews and penetration testing focused on file access controls within Grav and similar file-based CMS platforms. 6. Encourage users to enable strong password policies and multi-factor authentication to mitigate the impact of credential exposure. 7. Monitor logs for unusual file access patterns or failed attempts to access sensitive YAML files. 8. Consider isolating Grav installations in segmented network zones to limit lateral movement if compromise occurs. 9. Educate content editors about the risks of privilege misuse and the importance of secure credential handling. 10. Backup Grav data regularly and verify the integrity of backups to enable recovery in case of compromise.