8.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29440

GHSA ID

GHSA-g8r4-p96j-xfxc

EPSS Score

0.95228%

CWE

CWE-94

Published

4/16/2021

Updated

1/29/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29440

CVE-2021-29440:
Grav's Twig processing allowing dangerous PHP functions by default

Impact

Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.

Patches

The issue was addressed by preventing dangerous functions from being called in Twig templates. A configuration option has been added to manually allow arbitrary PHP functions (system.twig.safe_functions) and filters (system.twig.safe_filters).

Futures major versions of Grav may disable this functionality by default.

Workarounds

Blocking access to the /admin path from untrusted sources will reduce the probability of exploitation.

References

https://portswigger.net/research/server-side-template-injection
https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities

For more information

If you have any questions or comments about this advisory, you can contact:

The original reporters, by sending an email to vulnerability.research [at] sonarsource.com;
The maintainers, by opening an issue on this repository.

(GitHub Advisory)

8.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29440

GHSA ID

GHSA-g8r4-p96j-xfxc

EPSS Score

0.95228%

CWE

CWE-94

Published

4/16/2021

Updated

1/29/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	<= 1.7.10	1.7.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Grav's Twig environment configuration allowing unrestricted PHP function calls through undefined function resolution. The key function Grav\Common\Twig\Twig::registerUndefinedFunctionCallback (or its containing initialization method) created a bridge between Twig templates and PHP functions without security checks. During exploitation, this function would appear in stack traces as the entry point enabling arbitrary PHP function execution through Twig templates. The SonarSource blog post explicitly shows this unsafe callback registration in Twig.php, making it the primary vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Twi* pro**ssin* o* st*ti* p***s **n ** *n**l** in t** *ront m*tt*r *y *ny **ministr*tiv* us*r *llow** to *r**t* or **it p***s. *s t** Twi* pro**ssor runs uns*n**ox**, t*is ****vior **n ** us** to **in *r*itr*ry *o** *x**ution *n* *l*v*t*

Reasoning

T** vuln*r**ility st*ms *rom *r*v's Twi* *nvironm*nt *on*i*ur*tion *llowin* unr*stri*t** `P*P` *un*tion **lls t*rou** un***in** *un*tion r*solution. T** k*y *un*tion `*r*v\*ommon\Twi*\Twi*::r**ist*rUn***in***un*tion**ll***k` (or its *ont*inin* initi*

8.5

Basic Information

Concerned about an active attack path?

CVE-2021-29440: Grav's Twig processing allowing dangerous PHP functions by default

Impact

Patches

Workarounds

References

For more information

8.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-29440:
Grav's Twig processing allowing dangerous PHP functions by default

Vulnerability Intelligence
Miggo AI