N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66298

GHSA ID

GHSA-8535-hvm8-2hmv

EPSS Score

CWE

CWE-1336

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66298

CVE-2025-66298: Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms

Summary

Having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details.

PoC

Create a simple form with two fields, 'registration-number' and 'hp'. Add a submit button and set the method to POST(screenshot attached below). Form name set to 'hero-form'. Send a POST request with the following payload and you will notice a response with a php array listing the whole Grav configuration details - including plugins(screenshot attached).

registration-number:d643aaaa

hp:vJyifp

form-name:hero-form

unique_form_id:{{var_dump(_context|slice(0,7))}}

Screenshot 2025-03-25 at 7 26 02 AM

Screenshot 2025-03-25 at 7 22 58 AM

Impact

Server-Side Template (SST) vulnerability. The vulnerability affects the latest Grav version as of 25th of Match 2025 (1.7.48) with all plugins installed (including forms plugin v.7.4.2) to their latest versions as well.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66298

CVE-2025-66298:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66298

GHSA ID

GHSA-8535-hvm8-2hmv

EPSS Score

CWE

CWE-1336

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.8.0-beta.27	1.8.0-beta.27

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Server-Side Template Injection (SSTI) in Grav's form processing, identified as GHSA-8535-hvm8-2hmv. The root cause is the insufficient sanitization of user-provided data that is subsequently rendered by the Twig templating engine. The proof-of-concept demonstrates that by injecting a malicious Twig expression into the __unique_form_id__ form parameter, an attacker can access and dump the _context variable, which contains sensitive application data.

The provided patch directly addresses this issue by hardening the Grav\Common\Security::cleanDangerousTwig function. Analysis of the commit e37259527d9c1deb6200f8967197a9fa587c6458 reveals that the original implementation of this function used a very limited and inadequate blocklist. The patch replaces this with a comprehensive and centralized approach using regular expressions to block a wide range of dangerous functions, properties, and patterns, including the _context variable that was exploited.

Therefore, the function Grav\Common\Security::cleanDangerousTwig is identified as the vulnerable function. It is the component that directly fails to neutralize the malicious input, thus creating the SSTI vulnerability. During exploitation, a stack trace would likely show this function being called as part of the form processing workflow before the template is rendered.

Vulnerable functions

Grav\Common\Security::cleanDangerousTwig

system/src/Grav/Common/Security.php

This function is responsible for sanitizing strings that will be processed by the Twig template engine. Before the patch, its blocklist of dangerous elements was insufficient. Specifically, it did not prevent access to the `_context` variable, which contains all variables in the current Twig context. An attacker could inject a payload like `{{ dump(_context) }}` into a form field (as shown in the PoC with `__unique_form_id__`) to leak sensitive information from the application's configuration and environment, leading to a Server-Side Template Injection (SSTI) vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66298: Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms

Summary

PoC

Impact

CVE-2025-66298:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2025-66298: Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms

Summary

PoC

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI