CVE-2025-66297 Overview
CVE-2025-66297 affects Grav, a file-based Web platform written in PHP. Versions prior to 1.8.0-beta.27 allow authenticated users with page creation or editing permissions to enable Twig processing in page frontmatter. Attackers can inject malicious Twig expressions to escalate privileges to administrator or execute arbitrary system commands through the scheduler API. The flaw chains a privilege escalation (PE) with remote code execution (RCE) on the underlying host. The vulnerability is tracked as [CWE-1336] (Improper Neutralization of Special Elements Used in a Template Engine) and is fixed in Grav 1.8.0-beta.27.
Critical Impact
Authenticated admin panel users with page editing rights can execute arbitrary OS commands and elevate to administrator on Grav CMS instances.
Affected Products
- Getgrav Grav versions prior to 1.8.0-beta.27
- All Grav 1.8.0 beta releases from beta1 through beta26
- Grav CMS deployments exposing the admin panel to lower-privileged content editors
Discovery Timeline
- 2025-12-01 - CVE-2025-66297 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-66297
Vulnerability Analysis
Grav uses the Twig templating engine to render pages and supports a process.twig flag in page frontmatter. When enabled, Grav evaluates Twig expressions embedded inside page content. The admin panel grants page creation and editing rights to non-administrator roles, which allows those users to toggle Twig processing on their own pages. Once Twig evaluation is active, the user controls the input to a server-side template engine. The attacker leverages Twig server-side template injection (SSTI) to read or modify privileged objects, escalate the current account to administrator, and reach the scheduler API to invoke arbitrary system commands.
Root Cause
The root cause is missing privilege separation between page authoring and template execution. Grav treats process.twig as a content-author setting rather than an administrative capability. Any account permitted to edit page frontmatter can opt into Twig evaluation, turning user-supplied page content into executable server-side code. See the GitHub Security Advisory GHSA-858q-77wx-hhx6 for the maintainer analysis.
Attack Vector
Exploitation requires network access to the admin panel and a valid account with page create or edit permissions. The attacker creates or edits a page, enables Twig processing in the frontmatter, and embeds Twig expressions that invoke PHP runtime objects. Rendering the page executes the injected expressions in the web server process context. From there the attacker abuses the scheduler API to register or trigger jobs that run arbitrary shell commands. The fix commit e3725952 restricts who can enable Twig processing and tightens scheduler API authorization. No public proof-of-concept exploit is currently available.
Detection Methods for CVE-2025-66297
Indicators of Compromise
- Page frontmatter files (*.md) on disk containing process: twig: true authored by non-admin accounts
- New or modified entries in user/config/scheduler.yaml referencing unexpected shell commands or binaries
- Web server processes (php-fpm, apache2, nginx workers) spawning child processes such as sh, bash, curl, or wget
- Admin panel audit entries showing role changes to administrator from accounts that previously held editor-only rights
Detection Strategies
- Inventory all Grav installations and flag versions below 1.8.0-beta.27 using software composition analysis or CPE matching against cpe:2.3:a:getgrav:grav.
- Scan the Grav user/pages directory for frontmatter that enables Twig processing and correlate the author against the user role.
- Monitor HTTP requests to /admin/pages and scheduler endpoints for unusual POST bodies containing Twig syntax such as {{ and {%.
Monitoring Recommendations
- Alert on file modifications to user/config/scheduler.yaml and any new cron-like job definitions registered through Grav.
- Log and review every admin panel authentication and authorization change, especially role escalations.
- Capture process-lineage telemetry from the web server account to detect unexpected command execution downstream of PHP.
How to Mitigate CVE-2025-66297
Immediate Actions Required
- Upgrade Grav to version 1.8.0-beta.27 or later on all instances.
- Audit every admin panel account and remove page edit rights from users who do not require them.
- Review existing pages for process.twig: true set by non-administrator users and revert unauthorized changes.
- Rotate admin credentials and API tokens if unauthorized scheduler entries or role changes are found.
Patch Information
The fix is delivered in Grav 1.8.0-beta.27. The maintainer commit e37259527d9c1deb6200f8967197a9fa587c6458 restricts Twig processing in page frontmatter to privileged users and hardens the scheduler API. Full advisory details are published in GHSA-858q-77wx-hhx6.
Workarounds
- Restrict admin panel access to administrator accounts only until the patched release is deployed.
- Place the /admin route behind network controls such as IP allowlists, a VPN, or a reverse proxy with authentication.
- Disable the scheduler feature in environments where it is not required to reduce the RCE attack surface.
# Configuration example
composer require getgrav/grav:^1.8.0-beta.27
# Verify installed version
bin/grav --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
