CVE-2025-66844 is a vulnerability in Grav CMS, a flat-file content management system widely used for building websites. The issue exists in versions prior to 1.7.49.5 and involves Server-Side Request Forgery (SSRF) triggered via Twig template processing. Twig is the templating engine used by Grav to render page content. When Grav processes page content through Twig, if the configuration allows registration of undefined PHP functions, an attacker can craft malicious template content that invokes SSRF vectors. This means the attacker can cause the server to send HTTP requests to arbitrary internal or external resources. SSRF can be leveraged to access internal services not normally exposed, scan internal networks, or exfiltrate sensitive information. The vulnerability does not require known authentication if the attacker can inject or influence Twig template content, which might be possible via content management interfaces or other injection points. No public exploits have been reported yet, but the vulnerability is published and should be considered a significant risk. The lack of a CVSS score indicates this is a newly disclosed issue. The vulnerability's impact depends on the server's network environment and the attacker's ability to control Twig templates and configuration. The flaw highlights the risk of enabling undefined PHP function registration in Twig, which should be disabled unless explicitly needed. Grav CMS users should prioritize patching and configuration review to prevent exploitation.

For European organizations, the SSRF vulnerability in Grav CMS could lead to unauthorized internal network reconnaissance, data leakage, and potential pivoting to more critical internal systems. Organizations hosting public-facing Grav websites are at risk of attackers exploiting this flaw to access internal services such as databases, metadata services in cloud environments, or administrative interfaces not intended for external access. This could compromise confidentiality and integrity of sensitive data and disrupt availability if internal services are overwhelmed or manipulated. The impact is heightened for organizations with complex internal networks or those using cloud infrastructure where SSRF can access cloud metadata endpoints. Given the widespread use of Grav CMS in Europe for small to medium business websites, government portals, and educational institutions, the vulnerability poses a significant threat. The absence of known exploits currently provides a window for proactive mitigation, but the potential for rapid exploitation once public proof-of-concept code emerges is high.

1. Upgrade Grav CMS to version 1.7.49.5 or later, where this vulnerability is fixed. 2. Review and disable the configuration option that allows registration of undefined PHP functions in Twig templates unless absolutely necessary. 3. Restrict user input that can influence Twig templates to trusted users only and implement strict input validation and sanitization. 4. Employ network segmentation and firewall rules to limit the server's ability to make arbitrary outbound requests, especially to internal network resources and cloud metadata endpoints. 5. Monitor web server and application logs for unusual outbound requests or template processing errors that could indicate exploitation attempts. 6. Conduct regular security audits of Grav CMS configurations and template usage to ensure no insecure settings are enabled. 7. Consider implementing Web Application Firewalls (WAFs) with custom rules to detect and block SSRF payload patterns targeting Grav CMS. 8. Educate developers and administrators about the risks of enabling undefined PHP function registration in templating engines.