CVE-2025-66298 Overview
CVE-2025-66298 is a Server-Side Template Injection (SSTI) vulnerability in Grav CMS, a popular file-based web platform. This vulnerability allows unauthenticated attackers to exploit forms on affected Grav installations to disclose the complete server configuration, including sensitive plugin settings and system details. By crafting a malicious POST payload, attackers can leverage the template processing engine to extract configuration information that should not be accessible to external users.
Critical Impact
Unauthenticated attackers can extract complete Grav configuration details including plugin configurations, potentially revealing database credentials, API keys, and other sensitive system information through Server-Side Template Injection.
Affected Products
- Grav CMS versions prior to 1.8.0-beta.27
- Grav CMS 1.8.0-beta.1 through 1.8.0-beta.26
- Any Grav installation with forms enabled that has not been patched
Discovery Timeline
- December 1, 2025 - CVE-2025-66298 published to NVD
- December 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-66298
Vulnerability Analysis
This vulnerability is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine). The flaw exists in how Grav CMS processes form submissions, allowing template directives to be injected and executed server-side. When a Grav site has any form functionality enabled, the form processing logic fails to properly sanitize user-supplied input before passing it to the Twig template engine.
The attack can be performed remotely over the network without requiring any authentication or user interaction. An attacker who successfully exploits this vulnerability gains read access to the complete Grav configuration, which may contain highly sensitive information such as database connection strings, SMTP credentials, API tokens for integrated services, and internal file paths that could facilitate further attacks.
Root Cause
The root cause of CVE-2025-66298 lies in insufficient input validation and sanitization within Grav's form processing mechanism. When form data is submitted via POST request, the application fails to properly neutralize template-specific syntax before the data is processed by the Twig templating engine. This allows attackers to inject Twig template directives that are subsequently executed in the server-side context, enabling access to internal configuration objects and variables.
Attack Vector
The attack is executed remotely over the network. An attacker identifies a Grav CMS installation with form functionality (such as contact forms, login forms, or registration forms) and crafts a specially formed POST request containing Twig template injection payloads. These payloads target Grav's internal configuration objects, causing the server to evaluate the injected template code and return configuration data in the response.
The exploitation does not require any prior authentication, making any publicly accessible Grav installation with forms a potential target. The attacker crafts POST parameters containing Twig variable references or expressions that, when processed by the template engine, output sensitive configuration values. The configuration dump may include plugin settings, system paths, credentials, and other sensitive deployment information.
Detection Methods for CVE-2025-66298
Indicators of Compromise
- Unusual POST requests to form endpoints containing template syntax patterns such as {{, {%, or Twig-specific functions
- Web server logs showing form submissions with payloads referencing config, system, or grav objects
- Unexpected outbound data transfers or error responses containing JSON-like configuration structures
- Access logs indicating repeated form submissions from single IP addresses with varying payloads
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block template injection patterns in POST requests
- Monitor web server access logs for requests containing Twig template syntax ({{, }}, {%, %})
- Deploy intrusion detection signatures for Server-Side Template Injection attack patterns
- Review application logs for unusual form processing errors or exceptions related to template rendering
Monitoring Recommendations
- Enable detailed logging for all form submissions and monitor for anomalous patterns
- Set up alerts for POST requests containing known SSTI payload signatures
- Monitor for configuration file access or disclosure in application responses
- Implement rate limiting on form endpoints to slow potential exploitation attempts
How to Mitigate CVE-2025-66298
Immediate Actions Required
- Upgrade Grav CMS to version 1.8.0-beta.27 or later immediately
- Audit web server logs for evidence of exploitation attempts targeting form endpoints
- Review and rotate any credentials or API keys stored in Grav configuration files
- Consider temporarily disabling forms on production systems until patches are applied
Patch Information
The vulnerability has been addressed in Grav CMS version 1.8.0-beta.27. The fix is available via commit e37259527d in the official Grav repository. The patch implements proper input sanitization to prevent template injection through form submissions. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-8535.
Workarounds
- Temporarily disable all form functionality on affected Grav installations until patching is possible
- Implement WAF rules to filter POST requests containing Twig template syntax
- Place affected Grav installations behind authentication to limit exposure
- Consider network segmentation to restrict access to administrative and form endpoints
# Example WAF rule pattern for ModSecurity to block SSTI attempts
SecRule ARGS "@rx \{\{.*\}\}|\{%.*%\}" \
"id:1001,\
phase:2,\
deny,\
status:403,\
msg:'Potential SSTI Attack Detected',\
log,\
auditlog"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
