The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66305

CVE-2025-66305: Getgrav Grav DoS Vulnerability

CVE-2025-66305 is a denial of service flaw in Getgrav Grav's admin configuration panel that crashes the entire site when malformed input is entered. This article covers the technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2025-66305 Overview

CVE-2025-66305 is a Denial of Service (DoS) vulnerability discovered in Grav, a popular file-based Web platform. The vulnerability exists in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input, allowing an authenticated administrator to crash the entire application by inserting malformed values such as a single forward slash (/) or XSS test strings.

When exploited, the vulnerability triggers a fatal regular expression parsing error on the server due to improper construction of regular expressions passed to PHP's preg_match() function. This results in an application-wide failure, rendering the site completely unavailable to all users until manual intervention.

Critical Impact

Authenticated administrators can cause complete site unavailability through improper input in the Languages configuration, affecting all users and requiring manual recovery.

Affected Products

  • Grav versions prior to 1.8.0-beta.27
  • Grav 1.8.0-beta1 through 1.8.0-beta26
  • All stable Grav releases before the patch

Discovery Timeline

  • 2025-12-01 - CVE-2025-66305 published to NVD
  • 2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-66305

Vulnerability Analysis

This vulnerability is classified under CWE-248 (Uncaught Exception) and represents an Improper Input Validation issue that leads to Denial of Service. The vulnerability carries a CVSS 4.0 score of 6.9 (MEDIUM severity) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

The EPSS (Exploit Prediction Scoring System) probability is 0.062% with a percentile ranking of 19.381, indicating a relatively low likelihood of exploitation in the wild.

The vulnerability stems from insufficient input validation in the Languages configuration section of the Grav admin panel. When a user with administrative privileges enters a malformed string in the Supported languages parameter, the application attempts to use this input to construct a regular expression pattern. Since the input is not sanitized or validated for regex metacharacters, invalid patterns cause PHP's preg_match() function to fail catastrophically.

Root Cause

The root cause is the direct use of unsanitized user input in the construction of regular expressions. When special regex characters like / are provided without proper escaping, the resulting pattern becomes syntactically invalid. PHP's PCRE (Perl Compatible Regular Expressions) engine throws a fatal error when attempting to compile or execute such malformed patterns.

The vulnerable code path does not implement:

  1. Input validation to reject invalid language codes
  2. Proper escaping of regex metacharacters using preg_quote()
  3. Error handling for regex compilation failures

Attack Vector

The attack requires network access and high privileges (administrator access to the Grav admin panel). An attacker with administrative credentials can navigate to /admin/config/system, locate the Languages submenu, and enter a malformed value in the Supported parameter field.

The attack is straightforward to execute: simply entering a single forward slash (/) character or other regex metacharacters will trigger the vulnerability. Once the configuration is saved, the malformed value causes a fatal error on subsequent requests, resulting in complete site unavailability.

The vulnerability mechanism involves the Grav application passing user-supplied language codes directly to preg_match() without validation. When malformed input is provided, the regex engine encounters a syntax error, throwing an uncaught exception that propagates up and crashes the application. For detailed technical analysis, refer to the GitHub Security Advisory.

Detection Methods for CVE-2025-66305

Indicators of Compromise

  • PHP fatal errors in server logs referencing preg_match() function failures
  • Sudden application unavailability following admin panel configuration changes
  • Error messages containing "preg_match(): Unknown modifier" or similar regex-related errors
  • Unusual values in the Grav system configuration files for language settings

Detection Strategies

Organizations can detect potential exploitation attempts by:

  1. Log Monitoring: Monitor PHP error logs for fatal errors related to preg_match() function calls, particularly those originating from language-related code paths.

  2. Configuration Auditing: Regularly audit the Grav system configuration files for unexpected or malformed values in language settings.

  3. Admin Activity Tracking: Implement logging for all administrative configuration changes, particularly in the system settings area.

  4. Web Application Firewall (WAF): Configure WAF rules to detect and alert on suspicious patterns being submitted to the admin configuration endpoints.

Monitoring Recommendations

  • Enable verbose PHP error logging in production environments (while ensuring errors are not displayed to end users)
  • Implement application performance monitoring (APM) to detect sudden availability drops
  • Set up automated alerts for HTTP 500 errors on the Grav application
  • Monitor the /admin/config/system endpoint for unusual POST requests
  • Configure backup and recovery procedures to minimize downtime if exploitation occurs

How to Mitigate CVE-2025-66305

Immediate Actions Required

  • Upgrade Grav to version 1.8.0-beta.27 or later immediately
  • Review admin user accounts and remove or disable any unnecessary administrative access
  • Audit recent configuration changes in the Languages settings for suspicious values
  • Implement network-level access controls to restrict admin panel access to trusted IP addresses

Patch Information

The vulnerability has been fixed in Grav version 1.8.0-beta.27. The patch is available in commit ed640a13143c4177af013cf001969ed2c5e197ee.

The fix implements proper input validation for the Supported languages parameter, ensuring that only valid language codes can be entered and that any special characters are properly handled before being used in regular expression operations.

Organizations should:

  1. Review the GitHub Security Advisory GHSA-m8vh-v6r6-w7p6 for complete details
  2. Download and apply the patched version from the official Grav repository
  3. Test the update in a staging environment before deploying to production

Workarounds

If immediate patching is not possible, organizations can implement the following temporary mitigations:

  1. Restrict Admin Access: Limit access to the Grav admin panel to only essential personnel and trusted IP addresses using web server configuration or firewall rules.

  2. Read-Only Configuration: Where possible, set the Grav configuration files to read-only to prevent modifications through the admin panel.

  3. Monitoring and Alerting: Implement enhanced monitoring for the admin configuration endpoints and set up immediate alerts for any configuration changes.

bash
# Restrict admin panel access via Apache .htaccess
<Directory "/var/www/html/grav/admin">
    Require ip 192.168.1.0/24
    Require ip 10.0.0.0/8
</Directory>

# Or via Nginx configuration
location /admin {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechGetgrav
  • SeverityMEDIUM
  • CVSS Score6.9
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-248
  • Vendor Resources
  • Patch
  • Exploit, Vendor Advisory
  • Exploit, Vendor Advisory
  • Related CVEs
  • CVE-2025-66294: Getgrav Grav RCE Vulnerability
  • CVE-2025-66295: Getgrav Grav Path Traversal Vulnerability
  • CVE-2025-66296: Getgrav Grav Privilege Escalation Flaw
  • CVE-2025-66308: Grav-plugin-admin Stored XSS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English