CVE-2025-66301
Published: 01 December 2025
Summary
CVE-2025-66301 is a critical-severity Improper Authorization (CWE-285) vulnerability in Getgrav Grav. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to system resources, directly preventing low-privileged editors from modifying critical YAML frontmatter fields via admin POST requests.
AC-6 applies least privilege to restrict editor roles from accessing or altering sensitive form process configurations in page YAML.
CM-5 restricts access to changes in system components like page files and YAML headers, mitigating unauthorized modifications by low-privileged users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control allows an authenticated editor to modify YAML frontmatter in page forms, enabling server-side template injection (SSTI) via malicious Twig payloads in the process section, potentially leading to code execution.
NVD Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to…
more
change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.
Deeper analysisAI
CVE-2025-66301 is an improper authorization vulnerability (CWE-285) affecting Grav, a file-based web platform, in versions prior to 1.8.0-beta.27. The issue arises from inadequate checks when handling POST requests to /admin/pages/{page_name}, allowing modification of critical fields. Specifically, an authenticated editor can alter the YAML frontmatter in data[_json][header][form], including the process section that controls post-submission form behavior and enables potentially dangerous actions.
The vulnerability can be exploited over the network (AV:N) with low complexity (AC:L), requiring low privileges (PR:L) such as editor access for basic content changes, without user interaction (UI:N). Successful exploitation changes the scope (S:C) and grants high confidentiality (C:H) and integrity (I:H) impacts, with no availability impact (A:N), earning a CVSS v3.1 base score of 9.6. Attackers with editor permissions can reconfigure form processing logic to perform unauthorized actions, potentially chaining into additional vulnerabilities.
The Grav security advisory (GHSA-v8x2-fjv7-8hjh) confirms the issue is fixed in version 1.8.0-beta.27, recommending immediate upgrades for affected installations.
Details
- CWE(s)