8.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66300

GHSA ID

GHSA-p4ww-mcp9-j6f2

EPSS Score

CWE

CWE-22

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66300

CVE-2025-66300: Grav is vulnerable to Arbitrary File Read

Summary

A low privilege user account with page editing privilege can read any server files using "Frontmatter" form.
This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.
This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.

Details

The vulnerability can be found in /user/plugins/form/templates/forms/fields/display/display.html.twig

PoC

This PoC was conducted on Grav CMS version 1.7.46 and Admin Plugin version 1.10.46

go to “http://grav.local/admin/pages” then create new page with “Page Template” option set to “Form”.

Then go to “Expert” and on Frontmatter input box used to following form template.

Save page and go the preview or published page you will see the content of “/etc/passwd” file on the server.

Impact

This can allow a low privileged user to perform a full account takeover of other registered users including Administrators. This can also allow an adversary to read any file on the web server. And Due to insufficient permission verification , user who can write a page also can use frontmatter feature using this IDOR vulnerability PoC IDOR mention in CVE-2024-2792

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66300

CVE-2025-66300:

8.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66300

GHSA ID

GHSA-p4ww-mcp9-j6f2

EPSS Score

CWE

CWE-22

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.8.0-beta.27	1.8.0-beta.27

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows arbitrary file reads through a path traversal weakness in the readFileFunc method within the Grav\Common\Twig\Extension\GravExtension class. This function is exposed to the Twig templating engine as the read_file function. The vulnerability description and Proof of Concept (PoC) show that an attacker with privileges to edit a page can create a form with a display field. The content of this field can be set to execute the read_file function with a path to a sensitive file on the server (e.g., /etc/passwd).

The provided commit ed640a13143c4177af013cf001969ed2c5e197ee directly patches the readFileFunc function. The original implementation simply checked if the file existed and then read it. The patch adds multiple security controls:

It resolves the absolute path of the file using realpath() to prevent traversal sequences like ../.
It verifies that the resolved path is within the GRAV_ROOT directory, restricting file access to the application's intended scope.
It implements a blocklist of regular expressions to prevent access to sensitive files and directories such as user account files (*.yaml), configuration files, and system directories.

Therefore, the readFileFunc is the exact location of the vulnerability, as it's the function that processes the malicious input (the file path) and performs the insecure file operation.

Vulnerable functions

Grav\Common\Twig\Extension\GravExtension::readFileFunc

system/src/Grav/Common/Twig/Extension/GravExtension.php

The function `readFileFunc` is exposed to Twig templates as `read_file`. Before the patch, this function took a file path as input and directly used `file_get_contents` to read the file if it existed, without any path validation. This allowed a low-privilege user with page editing rights to create a form that uses this Twig function to read arbitrary files from the server, leading to information disclosure and potential account takeovers.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66300: Grav is vulnerable to Arbitrary File Read

Summary

Details

PoC

Impact

CVE-2025-66300:

8.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-66300: Grav is vulnerable to Arbitrary File Read

Summary

Details

PoC

Impact

8.5

8.5

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI