CVE-2025-66295 Overview
CVE-2025-66295 is a high-severity path traversal vulnerability affecting Grav, a popular file-based Web platform. The vulnerability exists in the Admin UI user creation functionality, where insufficient input validation allows an authenticated user with user creation privileges to write account YAML files to arbitrary locations on the filesystem by including path traversal sequences (such as ..\\ or ../) in the username field.
When exploited, the Grav CMS writes the account YAML file to an unintended path outside the designated user/accounts/ directory. These YAML files can contain sensitive account fields including email, fullname, twofa_secret, and hashed_password, potentially enabling an attacker to overwrite existing files or place malicious configuration files in sensitive directories.
Critical Impact
Authenticated attackers with user creation privileges can write arbitrary YAML files outside the intended account directory, potentially leading to system compromise, data manipulation, or privilege escalation through file system manipulation.
Affected Products
- Grav CMS versions prior to 1.8.0-beta.27
- Grav CMS 1.8.0-beta1 through 1.8.0-beta26
- All stable releases of Grav prior to the fix
Discovery Timeline
- December 1, 2025 - CVE-2025-66295 published to NVD
- December 4, 2025 - Last updated in NVD database
Technical Details for CVE-2025-66295
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the user account creation process within Grav's Admin UI. The application fails to properly sanitize or validate the username input before using it to construct the file path for the new user's YAML configuration file. This oversight allows attackers to include directory traversal sequences in the username, directing the file write operation to locations outside the intended user/accounts/ directory.
The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating:
- Attack Vector: Network-based exploitation
- Attack Complexity: Low - straightforward to exploit
- Privileges Required: Low - requires authenticated user with user creation privileges
- User Interaction: None required
- Impact: High confidentiality, integrity, and availability impact
The EPSS (Exploit Prediction Scoring System) score is 0.057% with a percentile ranking of 17.88%, suggesting relatively lower predicted exploitation activity in the wild at this time.
Root Cause
The root cause is improper input validation (CWE-22: Path Traversal) in the user creation functionality. The application constructs the file path for the user's YAML account file by directly concatenating the user-supplied username to the base user/accounts/ directory path without sanitizing or validating that the username contains only safe characters. This allows path traversal sequences to escape the intended directory structure.
The vulnerability arises because the application trusts that users with administrative privileges will not provide malicious input, but this trust model fails to account for compromised accounts, insider threats, or privilege escalation scenarios.
Attack Vector
The attack requires an authenticated attacker with permissions to create new user accounts through the Grav Admin UI. The attacker crafts a malicious username containing path traversal sequences such as ..\\Nijat (Windows) or ../Nijat (Unix-like systems).
When the attacker submits the user creation form with this malicious username, Grav processes the request and attempts to write the user account YAML file. Due to the lack of input sanitization, the path traversal sequences are interpreted literally, causing the file to be written outside the user/accounts/ directory.
For example, a username of ../../../config/malicious could potentially write a YAML file to the Grav configuration directory, potentially overwriting critical configuration files or injecting malicious settings. The written file contains structured data including email addresses, full names, two-factor authentication secrets, and password hashes.
Detection Methods for CVE-2025-66295
Indicators of Compromise
- Unexpected YAML files appearing outside the user/accounts/ directory
- User account files with path traversal characters in filenames or unusual directory locations
- Web server logs showing user creation requests with .. or similar sequences in username parameters
- File system audit logs indicating writes to sensitive directories from the web application process
Detection Strategies
Organizations can implement the following detection strategies to identify exploitation attempts:
Web Application Firewall (WAF) Rules: Configure WAF rules to detect and block requests containing path traversal sequences (../, ..\\, %2e%2e%2f, %2e%2e/) in user creation form submissions.
File Integrity Monitoring (FIM): Deploy file integrity monitoring on the Grav installation directory to detect unauthorized file modifications or unexpected file creations outside designated directories.
Log Analysis: Monitor web server access logs and Grav application logs for user creation attempts with suspicious username patterns containing directory traversal characters.
Endpoint Detection and Response (EDR): Leverage EDR solutions like SentinelOne to detect anomalous file write operations from web server processes attempting to write outside expected application directories.
Monitoring Recommendations
Implement comprehensive logging for all user creation operations within Grav CMS, ensuring that usernames and resulting file paths are logged for audit purposes. Configure alerts for any user creation activity where the resulting file path does not match the expected user/accounts/ directory structure.
SentinelOne customers can leverage behavioral AI detection capabilities to identify web application processes performing suspicious file operations, including writes to directories outside the application's normal operational scope.
How to Mitigate CVE-2025-66295
Immediate Actions Required
- Upgrade Grav CMS to version 1.8.0-beta.27 or later immediately
- Review existing user accounts for any with suspicious usernames containing path traversal characters
- Audit the file system for unexpected YAML files outside the user/accounts/ directory
- Review access logs for any historical exploitation attempts
- Temporarily restrict user creation privileges to only essential administrators until patching is complete
Patch Information
The vulnerability has been addressed in Grav 1.8.0-beta.27. The fix is available through the official Grav GitHub repository:
- Security Advisory:GHSA-h756-wh59-hhjv
- Patch Commit:3462d94d575064601689b236508c316242e15741
Organizations should prioritize updating to the patched version as this is a high-severity vulnerability with a CVSS score of 8.8.
Workarounds
If immediate patching is not possible, consider the following temporary mitigations:
Restrict User Creation Access: Limit the ability to create new users to only the most trusted administrators, reducing the attack surface.
Input Validation at Web Server Level: Configure web server rules to reject user creation requests containing path traversal sequences in the username field.
File System Permissions: Ensure the web server process has minimal file system permissions, restricting write access to only necessary directories. This limits the impact even if path traversal is exploited.
Web Application Firewall: Deploy WAF rules to filter requests containing common path traversal patterns targeting user creation endpoints.
# Example Apache mod_rewrite rule to block path traversal in requests
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|\.\.\\) [NC,OR]
RewriteCond %{REQUEST_URI} (\.\./|\.\.\\) [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
