N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66305

CVE-2025-66305: Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter

Endpoint: admin/config/system
Submenu: Languages
Parameter: Supported
Application: Grav v 1.7.48

Summary

A Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server.

This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in the following error:

preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244

Once triggered, the site becomes completely unavailable to all users.

Details

Vulnerable Endpoint: POST /admin/config/system
Submenu: Languages
Parameter: Supported

The application dynamically constructs a regular expression using the contents of the Supported field without escaping the input using preg_quote() or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.

Stack trace excerpt:

Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244

Proof of Concept (PoC)

Payloads:

/

Steps to Reproduce:

Log into the Grav Admin Panel.
Navigate to: Configuration → System → Languages.
Locate the Supported field.
Insert one of the payloads above (e.g., a single slash /).
Click Save.

Observe: All pages in the application begin throwing a fatal error and become inaccessible.

Impact

Application-wide Denial of Service (DoS)
All login and admin views crash with the same error
Potentially exploitable by:
- Admin panel users
- CSRF if misconfigured

References

CWE-1333: Improper Regular Expression
CWE-20: Improper Input Validation

Discoverer

Marcelo Queiroz

by CVE-Hunters

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66305

CVE-2025-66305:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.8.0-beta.27	1.8.0-beta.27

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Denial of Service (DoS) in Grav CMS, originating from improper input validation of the 'Supported' languages setting in the admin panel. The root cause is twofold:

Input Injection: The Grav\Common\Language\Language->setLanguages function, which processes the 'Supported' languages from the configuration, failed to sanitize the input. It directly stored user-provided strings, allowing an attacker to inject characters with special meaning in regular expressions, such as a forward slash (/).
Regex Failure: The Grav\Common\Language\Language->setActiveFromUri function later retrieves this list of languages to dynamically construct a regular expression. When the unsanitized, malicious string is included, it corrupts the regex pattern. For example, if the language list is en|/|fr, the regex becomes /(^\/(en|/|fr))(?:\/|\?|$)/i. The unescaped / is interpreted as the closing delimiter, causing the preg_match() function to fail with an 'Unknown modifier' error, crashing the application.

The patch resolves this by first adding strict validation in setLanguages to only allow valid language codes. Secondly, as a defense-in-depth measure, the patch modifies setActiveFromUri to ensure that any special characters that might be used as a regex delimiter are properly escaped when constructing the regex, preventing the crash.

Vulnerable functions

Grav\Common\Language\Language->setLanguages

system/src/Grav/Common/Language/Language.php

This function is the entry point for the vulnerability. It accepts the 'Supported' languages from the admin configuration. The vulnerable version of this function directly assigned the user-provided input to the 'languages' property without any validation or sanitization. This allowed an attacker to save malicious strings, such as a single forward slash ('/'), which would later be used in a regular expression, causing it to fail.

Grav\Common\Language\Language->setActiveFromUri

system/src/Grav/Common/Language/Language.php

This function consumes the unsanitized language codes stored by `setLanguages` to construct a regular expression for matching the language from a URL. When a malicious string like '/' is present in the language list, it breaks the regex syntax. The subsequent call to `preg_match()` with this malformed regex causes a fatal error, leading to an application-wide Denial of Service. The provided stack trace points directly to an error caused by this function's behavior.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66305: Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter

Summary

Details

Proof of Concept (PoC)

Payloads:

Steps to Reproduce:

Impact

References

Discoverer

CVE-2025-66305:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2025-66305: Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter

Summary

Details

Proof of Concept (PoC)

Payloads:

Steps to Reproduce:

Impact

References

Discoverer

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI