6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66304

CVE-2025-66304: Grav Exposes Password Hashes Leading to privilege escalation

Exposure of Password Hashes Leading to privilege escalation

Severity Rating: Medium

Vector: Privilege Escalation

CVE: XXX

CWE: 200 - Exposure of Sensitive Information

CVSS Score: 6.2

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

Analysis

It was observed that if a users is given read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes.

An attacker with read access can:

View and potentially crack the password hashes.
Gain administrative access by cracking the admin password hash.
Escalate privileges and compromise the entire admin panel.

Proof of Concept

Give read access to user accounts to a random user as shown in the following figures:
Log in to the admin panel with an account that has read access to user accounts and navigate to the user account management section.
Go to the admin profile http://127.0.0.1/admin/accounts/users/admin; The password is not display. Try inspecting the page source code as shown in the following figures:

You can see that it match the hash that is in the admin.yaml file :
Crack the hash as shown in the following figure, the algorithm use here is bcrypt:

grav3

Workarounds

No workaround is currently known

Timeline

2024-07-24 Issue identified

2024-09-27 Vendor contacted

About X41 D-Sec GmbH

X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.

Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66304

CVE-2025-66304:

6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.8.0-beta.27	1.8.0-beta.27

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GHSA-gq3g-666w-7h85, allowed users with read access to the user account management section to view the password hashes of all users. This was due to the insecure serialization of user objects, which included sensitive data like hashed_password.

The patch addresses this by overriding the jsonSerialize method in two key classes: Grav\Common\Flex\Types\Users\UserObject and Grav\Common\User\DataUser\User. The jsonSerialize method is invoked when json_encode() is called on an object, which is a common practice for preparing data for API responses.

Before the fix, these classes relied on a parent's jsonSerialize implementation, which simply converted all object properties to an array, thus exposing the password hash. The patch introduces a specific implementation in both classes that calls the parent method and then explicitly unsets the hashed_password, secret, and twofa_secret fields from the resulting array. This ensures that sensitive data is not included in the JSON output sent to the client, mitigating the information disclosure vulnerability.

Vulnerable functions

Grav\Common\Flex\Types\Users\UserObject::jsonSerialize

system/src/Grav/Common/Flex/Types/Users/UserObject.php

The `jsonSerialize` method is automatically called when an object is encoded into JSON. Prior to the patch, the `UserObject` class used an inherited `jsonSerialize` method that included all object properties, including the `hashed_password`. This allowed an attacker with read access to the user management section to view the password hashes of other users. The patch overrides this method to explicitly remove the `hashed_password` and other sensitive fields before the object is serialized.

Grav\Common\User\DataUser\User::jsonSerialize

system/src/Grav/Common/User/DataUser/User.php

The `User` class also had its user data exposed via JSON serialization. The vulnerability lies in the inherited `jsonSerialize` method that was used before the patch. This method did not filter sensitive data like `hashed_password`. The patch adds a specific `jsonSerialize` implementation for the `User` class that removes these fields, thus preventing them from being exposed.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66304: Grav Exposes Password Hashes Leading to privilege escalation

Exposure of Password Hashes Leading to privilege escalation

Analysis

Proof of Concept

Workarounds

Timeline

About X41 D-Sec GmbH

CVE-2025-66304:

6.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-66304: Grav Exposes Password Hashes Leading to privilege escalation

Exposure of Password Hashes Leading to privilege escalation

Analysis

Proof of Concept

Workarounds

Timeline

About X41 D-Sec GmbH

Basic Information

Basic Information

Technical Details

6.2

6.2

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI