CVE-2025-66304 Overview
CVE-2025-66304 affects Grav, a file-based web platform widely used for content management. The vulnerability exposes password hashes of all users, including the administrator account, to any authenticated user who holds read access to the user account management section of the admin panel. Attackers who obtain these hashes can attempt offline cracking and escalate privileges if weak passwords are in use. The flaw is classified as Information Exposure [CWE-200] and is fixed in Grav 1.8.0-beta.27.
Critical Impact
Low-privileged admin users can retrieve administrator password hashes, enabling offline cracking and full account takeover.
Affected Products
- Getgrav Grav versions prior to 1.8.0-beta.27
- All 1.8.0 beta releases from beta1 through beta26
- Deployments exposing the admin panel to multiple user roles
Discovery Timeline
- 2025-12-01 - CVE-2025-66304 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-66304
Vulnerability Analysis
Grav stores user credentials as hashed values within file-based user account records. The admin panel exposes these account records to users with read permissions on the user management section. The application fails to strip or redact the hashed_password field before serving account data to authorized viewers. As a result, any user able to view account entries retrieves the raw password hash alongside other account metadata.
This information exposure breaks the principle that password hashes must remain accessible only to authentication routines. Read access on user management should not equal read access on credentials. The vulnerability requires existing authentication, but lateral or vertical privilege escalation becomes feasible once an attacker holds any admin-tier read role.
Root Cause
The root cause is missing field-level access control on the user account API response. The admin controller serializes the entire user object, including the password hash attribute, without filtering sensitive fields based on the requesting user's privileges. The fix in commit 9d11094e4133f059688fad1e00dbe96fb6e3ead7 removes the hash field from responses returned to the admin UI.
Attack Vector
An attacker authenticates to the Grav admin panel using a low-privileged account that holds read access to user accounts. The attacker browses to the user management section and inspects either the rendered page source or the underlying JSON API response. The hash for each user, including the administrator, is returned in the response payload. The attacker then performs offline cracking using tools such as hashcat or john against the recovered hashes. Successful cracking yields administrator credentials and full control of the Grav installation.
No exploitation code is required beyond authenticated HTTP access. See the GitHub Security Advisory GHSA-gq3g-666w-7h85 for vendor analysis.
Detection Methods for CVE-2025-66304
Indicators of Compromise
- Admin panel HTTP responses containing hashed_password fields in JSON bodies served to non-administrative roles
- Unexpected authenticated requests to user account management endpoints from accounts that do not routinely manage users
- Successful admin logins from IP addresses or user agents not previously associated with administrator accounts
Detection Strategies
- Inspect web server access logs for repeated GETs against admin user management routes by low-privileged sessions
- Review Grav admin audit trails for account enumeration patterns followed by privileged login attempts
- Monitor for offline cracking indicators such as sudden password rotations or anomalous authentication bursts on the administrator account
Monitoring Recommendations
- Enable verbose logging on the Grav admin panel and forward logs to a centralized analytics platform
- Alert on any HTTP response from admin endpoints whose body matches password hash signatures ($2y$, $2b$, $argon2)
- Track changes to user account files on disk under the Grav user/accounts/ directory
How to Mitigate CVE-2025-66304
Immediate Actions Required
- Upgrade Grav to version 1.8.0-beta.27 or later without delay
- Force password resets for all accounts, prioritizing administrator and privileged roles
- Audit existing admin panel user roles and remove read access to user management for accounts that do not require it
- Review recent admin panel access logs for evidence of unauthorized hash retrieval
Patch Information
The vulnerability is fixed in Grav 1.8.0-beta.27. The corrective change is published in commit 9d11094e4133f059688fad1e00dbe96fb6e3ead7 and detailed in the Grav Security Advisory GHSA-gq3g-666w-7h85. Apply the upstream release through the Grav package manager or by replacing the affected files from the official distribution.
Workarounds
- Restrict admin panel access to trusted networks using firewall rules or reverse proxy ACLs until patching is complete
- Limit the number of accounts with admin panel read permissions to the minimum required
- Enforce strong password policies and multi-factor authentication to reduce the value of any cracked hash
# Upgrade Grav using the bundled CLI
bin/gpm selfupgrade -f
bin/gpm update
# Verify the installed version meets or exceeds the patched release
bin/grav --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
