4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66303

GHSA ID

GHSA-x62q-p736-3997

EPSS Score

CWE

CWE-400

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66303

CVE-2025-66303: Grav is vulnerable to a DOS on the admin panel

DOS on the admin panel

Severity Rating: Medium

Vector: Denial Of Service

CVE: XXX

CWE: 400 - Uncontrolled Resource Consumption

CVSS Score: 4.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Analysis

A Denial of Service (DoS) vulnerability has been identified in the application related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations.

The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression

Proof of Concept

Change the value of scheduled_at parameter to ' as shown in the following figures at the http://127.0.0.1/admin/tools endpoint, and observe the response in the second figure: Figure: Http request on tool endpoint Figure: Http response on tool endpoint
When trying to access the admin panel, the panel is broken as shown in the following figure. Additionally, the value change is reflected in the backup.yaml file, as shown in the second figure: Figure: Error message view Figure: Backup.yaml file

Miggo Vulnerability Database

→

CVE-2025-66303

CVE-2025-66303:

4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66303

GHSA ID

GHSA-x62q-p736-3997

EPSS Score

CWE

CWE-400

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.8.0-beta.27	1.8.0-beta.27

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Denial of Service (DoS) in the Grav admin panel, caused by the application's failure to properly sanitize and handle malformed cron expressions. The core of the issue lies in the use of CronExpression::factory(), which throws an InvalidArgumentException when provided with an invalid cron string.

The user can introduce a malicious string, such as a single quote ('), into the scheduled_at parameter for a scheduled task (like a backup) via the /admin/tools endpoint. This invalid expression is saved to a configuration file (backup.yaml).

When the admin panel or a CLI command later attempts to read and process this scheduled job, it calls functions like Grav\Common\Scheduler\Job::getCronExpression() or Grav\Common\Scheduler\IntervalTrait::at(). These functions, prior to the patch, would call CronExpression::factory() without any error handling. The resulting unhandled InvalidArgumentException would propagate up the stack, causing the application to crash and rendering the admin panel inaccessible until the invalid data is manually removed from the configuration file.

The patch addresses this by wrapping all calls to CronExpression::factory() within try-catch blocks. This ensures that invalid cron expressions are handled gracefully by returning null instead of crashing the application, thus preventing the Denial of Service.

Vulnerable functions

Grav\Common\Scheduler\IntervalTrait::at

system/src/Grav/Common/Scheduler/IntervalTrait.php

The `at` function in the `IntervalTrait` is called when setting a scheduled job's execution time. The original code directly passed the user-provided cron expression to `CronExpression::factory()`. This would throw an `InvalidArgumentException` if the expression was malformed (e.g., a single quote), causing an unhandled exception and a Denial of Service in the admin panel. The patch mitigates this by wrapping the call in a try-catch block.

Grav\Common\Scheduler\Job::getCronExpression

system/src/Grav/Common/Scheduler/Job.php

This function retrieves the cron expression for a scheduled job. Before the patch, it would attempt to create a `CronExpression` object from the stored `at` value without error handling. When the admin panel or another component tried to display or process a job with a malicious cron string, this function would throw an unhandled `InvalidArgumentException`, leading to a crash. The fix introduces a try-catch block to return `null` for invalid expressions.

Grav\Common\Twig\Extension\GravExtension::cronFunc

system/src/Grav/Common/Twig/Extension/GravExtension.php

This Twig extension function is used within templates to parse cron strings. The admin panel UI likely uses this to render information about scheduled jobs. An invalid cron string passed from the backend would cause this function to throw an unhandled `InvalidArgumentException`, breaking the page rendering and resulting in a Denial of Service for the user trying to access the page.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66303: Grav is vulnerable to a DOS on the admin panel

DOS on the admin panel

Analysis

Proof of Concept

CVE-2025-66303:

4.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-66303: Grav is vulnerable to a DOS on the admin panel

DOS on the admin panel

Analysis

Proof of Concept

Workarounds

Timeline

About X41 D-Sec GmbH

4.9

4.9

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI