CVE-2025-66305 is a vulnerability in the Grav CMS platform, specifically in versions before 1.8.0-beta.27. Grav is a file-based web platform used for building websites without a database backend. The vulnerability resides in the 'Languages' submenu of the admin configuration panel (/admin/config/system), where the 'Supported' parameter accepts user input that is not properly validated. When a malformed input—such as a single forward slash (/) or an XSS test string—is submitted, it causes the preg_match() function to process an improperly constructed regular expression. This results in a fatal regular expression parsing error, which is an uncaught exception leading to a denial of service. The entire Grav application becomes unavailable, causing a site-wide outage. The CVSS 4.0 score is 6.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges required for the attacker, no user interaction, but requiring high privileges (administrative) on the system. No known exploits are currently in the wild, and the issue is resolved in Grav version 1.8.0-beta.27. The root cause is categorized under CWE-248 (Uncaught Exception).

For European organizations, this vulnerability can cause complete service outages of websites or web applications running on vulnerable Grav versions. Since Grav is often used for content management and small to medium business websites, an outage can disrupt business operations, customer access, and damage reputation. The DoS nature means attackers can render sites unavailable without needing to steal data or escalate privileges beyond admin access. Organizations relying on Grav for critical web presence or internal portals may experience significant operational impact. Additionally, if attackers gain administrative access through other means, they could exploit this vulnerability to cause denial of service, amplifying the damage. The lack of user interaction and network attack vector means the vulnerability can be exploited remotely once admin access is compromised, increasing risk.

1. Upgrade all Grav installations to version 1.8.0-beta.27 or later immediately to apply the patch that fixes this vulnerability. 2. Restrict access to the Grav admin panel (/admin) using network-level controls such as IP whitelisting, VPNs, or firewall rules to limit exposure to trusted administrators only. 3. Implement strong authentication and authorization controls to prevent unauthorized administrative access, including multi-factor authentication (MFA). 4. Monitor web server and application logs for unusual requests targeting the 'Languages' submenu or malformed input patterns that could indicate exploitation attempts. 5. Conduct regular security audits and vulnerability scans on Grav installations to detect outdated versions or misconfigurations. 6. Consider implementing Web Application Firewalls (WAF) with custom rules to detect and block suspicious regular expression patterns or malformed inputs targeting the affected parameter. 7. Educate administrators on secure configuration practices and the importance of timely patching.