Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66303

CVE-2025-66303: Getgrav Grav DoS Vulnerability Explained

CVE-2025-66303 is a Denial of Service vulnerability in Getgrav Grav caused by improper sanitization of cron expressions. Attackers can disable the admin panel using malicious input. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-66303 Overview

CVE-2025-66303 is a Denial of Service (DoS) vulnerability in Grav, a file-based Web platform developed by Getgrav. The flaw exists in versions prior to 1.8.0-beta.27 and stems from improper sanitization of the scheduled_at parameter used for cron expressions in the scheduler subsystem. An authenticated attacker with administrative privileges can submit a malicious cron expression, such as one containing a single quote, which corrupts the stored configuration and renders the admin panel non-functional. Recovery requires direct host server access to manually edit the backup.yaml file and remove the corrupted cron expression. The issue is tracked under GHSA-x62q-p736-3997 and categorized as [CWE-400] Uncontrolled Resource Consumption.

Critical Impact

A malformed cron expression submitted through the admin interface disables the entire Grav administrative panel until manual server-side intervention restores the configuration file.

Affected Products

  • Getgrav Grav versions prior to 1.8.0-beta.27
  • All 1.8.0-beta1 through 1.8.0-beta26 releases
  • Grav installations exposing the admin scheduler interface

Discovery Timeline

  • 2025-12-01 - CVE-2025-66303 published to NVD
  • 2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-66303

Vulnerability Analysis

The vulnerability resides in Grav's scheduler component, specifically in system/src/Grav/Common/Scheduler/IntervalTrait.php. The at() method accepts a user-supplied cron expression string and passes it directly to CronExpression::factory() without exception handling. When the parser encounters a malformed expression, it raises an InvalidArgumentException that propagates upward and prevents the admin panel from loading.

The corrupted value is persisted to backup.yaml on disk. Every subsequent admin request attempts to deserialize the same invalid expression and triggers the same exception, creating a persistent DoS condition that survives application restarts.

Root Cause

The root cause is missing input validation on the scheduled_at parameter combined with absent exception handling around the cron parser. A single quote or other shell-significant character bypasses validation, gets written to the YAML configuration file, and then fails parsing on every subsequent load.

Attack Vector

Exploitation requires an authenticated user with administrative privileges who can access the scheduler configuration in the admin panel. The attacker submits a crafted scheduled_at value through the backup scheduler form. Once the malicious value is written to backup.yaml, the admin interface becomes inaccessible to all administrators.

php
// Patch from system/src/Grav/Common/Scheduler/IntervalTrait.php
// Source: https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7
public function at($expression)
{
    $this->at = $expression;
    try {
        $this->executionTime = CronExpression::factory($expression);
    } catch (InvalidArgumentException $e) {
        // Invalid cron expression - set to null to prevent DoS
        $this->executionTime = null;
    }

    return $this;
}

The fix wraps the CronExpression::factory() call in a try/catch block, setting executionTime to null when parsing fails instead of allowing the exception to break admin page rendering.

Detection Methods for CVE-2025-66303

Indicators of Compromise

  • Admin panel returning HTTP 500 errors or blank pages after a scheduler configuration change
  • Presence of non-standard characters such as single quotes, backticks, or semicolons inside the schedule block of user/config/backup.yaml
  • InvalidArgumentException entries referencing CronExpression in Grav application logs
  • Unexpected admin lockouts following recent authenticated sessions on the /admin/config/backups endpoint

Detection Strategies

  • Inspect backup.yaml files for cron expression fields containing characters outside the standard cron alphabet (digits, *, /, -, ,, whitespace)
  • Monitor web server access logs for POST requests to admin scheduler endpoints followed by 5xx responses
  • Audit Grav installations for versions matching 1.8.0-beta1 through 1.8.0-beta26 via the CPE inventory

Monitoring Recommendations

  • Alert on file modifications to user/config/backup.yaml outside of approved change windows
  • Track admin panel availability via synthetic health checks that detect persistent 500 errors
  • Log and review all authenticated changes to scheduler configuration with originating account attribution

How to Mitigate CVE-2025-66303

Immediate Actions Required

  • Upgrade Grav to version 1.8.0-beta.27 or later immediately
  • Audit existing backup.yaml files and remove any malformed cron expressions
  • Restrict administrative account access and enforce multi-factor authentication on admin logins
  • Review admin user accounts and revoke privileges that are no longer required

Patch Information

The vulnerability is fixed in Grav 1.8.0-beta.27. The patch is committed in GitHub commit 9d11094, which adds exception handling around CronExpression::factory() in IntervalTrait.php and removes sensitive fields from UserObject::jsonSerialize(). Full advisory details are available at GHSA-x62q-p736-3997.

Workarounds

  • If patching is delayed, restrict access to the admin scheduler interface using web server access controls or IP allowlisting
  • Apply file system permissions to user/config/backup.yaml that prevent modification by the web server process outside controlled deployments
  • Maintain a known-good backup of backup.yaml to enable rapid recovery if the admin panel becomes unresponsive
bash
# Recovery procedure if admin panel is unresponsive
# 1. SSH to the Grav host
ssh user@grav-host

# 2. Back up the corrupted file
cp user/config/backup.yaml user/config/backup.yaml.corrupted

# 3. Edit and remove malformed scheduled_at values
nano user/config/backup.yaml

# 4. Clear Grav cache to force reload
bin/grav clear-cache

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.