CVE-2025-66305

Dec. 2, 2025, 9:15 p.m.

6.9
Medium

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27.

Product(s) Impacted

Vendor Product Versions
Grav
  • Grav
  • <1.8.0-beta.27

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-248
Uncaught Exception
An exception is thrown from a function, but it is not caught.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a grav grav <1.8.0-beta.27 / / / / / / /

References

https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee
https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6
https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6

Tags

security-advisories@github.com
CWE-248
2025-12-01
CVE-2025-66305

CVSS Score

6.9 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: HIGH
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Dec. 1, 2025, 10:15 p.m.
Last Modified: Dec. 2, 2025, 9:15 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.