CVE-2025-66307: Grav Admin Plugin Info Disclosure Flaw

CVE-2025-66307 Overview

A user enumeration and email disclosure vulnerability exists in the Grav CMS admin plugin prior to version 1.11.0-beta.1. The "Forgot Password" functionality at the /admin/forgot endpoint leaks information about valid usernames and their associated email addresses through distinct server responses. This information disclosure vulnerability allows attackers to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering campaigns.

Critical Impact

Attackers can enumerate valid usernames and email addresses through the password reset functionality, enabling targeted credential attacks, phishing campaigns, and social engineering against confirmed user accounts.

Affected Products

• Grav Admin Plugin (grav-plugin-admin) versions prior to 1.11.0-beta.1

Discovery Timeline

• 2025-12-01 - CVE-2025-66307 published to NVD
• 2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-66307

Vulnerability Analysis

This vulnerability is classified under CWE-204 (Observable Response Discrepancy), where the application's different error messages for valid versus invalid usernames create an observable pattern that attackers can exploit. With a CVSS 3.1 score of 5.3 (Medium severity) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, the vulnerability is network-exploitable without authentication or user interaction.

The Exploit Prediction Scoring System (EPSS) assigns this vulnerability a probability of 0.036% with a percentile ranking of 10.27, indicating a relatively low likelihood of exploitation in the wild. However, user enumeration vulnerabilities are commonly targeted as preliminary reconnaissance steps in broader attack campaigns.

Root Cause

The root cause lies in the password reset functionality's error handling mechanism in the LoginController.php file. When a user requests a password reset, the application returned different error messages based on whether the submitted username or email existed in the system. The original code exposed the actual email address in rate-limiting error messages, directly confirming both user existence and their associated email.

Attack Vector

The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) and no user interaction (UI:N). An attacker can systematically submit password reset requests to the /admin/forgot endpoint with various usernames or email addresses, analyzing the server responses to identify valid accounts. The distinct response patterns—including error messages that revealed email addresses during rate limiting—allowed attackers to build a list of valid users and their email addresses for subsequent attacks.

The following patch demonstrates the fix implemented to address the user enumeration issue:

 
            $interval = $config->get('plugins.login.max_pw_resets_interval', 2);
 
-            $this->setMessage($this->translate('PLUGIN_LOGIN.FORGOT_CANNOT_RESET_IT_IS_BLOCKED', $to, $interval), 'error');
+            // Security: Use generic message to prevent email enumeration (GHSA-q3qx-cp62-f6m7)
+            $this->setMessage($this->translate('PLUGIN_ADMIN.FORGOT_CANNOT_RESET_RATE_LIMITED', $interval), 'error');
 
            return $this->createRedirectResponse($current);
        }

Source: https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0

The patch replaces the verbose error message that included the user's email address ($to) with a generic rate-limited message that only displays the time interval, preventing email enumeration.

Detection Methods for CVE-2025-66307

Indicators of Compromise

• Unusual volume of requests to the /admin/forgot password reset endpoint
• Multiple password reset attempts from single IP addresses with varying usernames
• Sequential or automated patterns in username submissions to the forgot password form
• Failed authentication attempts following password reset enumeration activity

Detection Strategies

Organizations should implement web application firewall (WAF) rules to detect and block automated enumeration attempts against the password reset endpoint. Log analysis should focus on identifying patterns of repeated requests to /admin/forgot with varying input values from single source IPs. Implementing CAPTCHA or progressive delays after multiple failed attempts can help detect and mitigate automated enumeration.

Monitor for requests that trigger rate-limiting responses, as attackers may use rate-limiting behavior as a signal to confirm valid accounts. Security teams should analyze HTTP response sizes and timing patterns, as user enumeration vulnerabilities often manifest as subtle differences in response characteristics.

Monitoring Recommendations

Configure web server access logs to capture full request details for the admin panel endpoints. Set up alerting thresholds for password reset request volumes that exceed normal baselines. Implement real-time monitoring of authentication-related endpoints with anomaly detection capabilities. Consider deploying honeypot usernames to detect enumeration attempts and track attacker methodologies.

How to Mitigate CVE-2025-66307

Immediate Actions Required

• Upgrade the Grav Admin Plugin to version 1.11.0-beta.1 or later immediately
• Review access logs for evidence of prior enumeration attempts against the /admin/forgot endpoint
• Implement rate limiting and CAPTCHA on the password reset functionality if not already present
• Consider implementing IP-based blocking for excessive password reset requests

Patch Information

The vulnerability is fixed in Grav Admin Plugin version 1.11.0-beta.1. The security patch is available via the official GitHub repository commit 99f653296504f1d6408510dd2f6f20a45a26f9b0. Organizations should update through their standard Grav update mechanisms or by manually applying the patch from the official repository.

Additional security advisories and details are available at:

• Security Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7
• Patch Commit: https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0

Workarounds

If immediate patching is not possible, organizations can implement the following temporary mitigations:

# Apache .htaccess rate limiting for /admin/forgot endpoint
# Add to your .htaccess file in the Grav root directory

<IfModule mod_rewrite.c>
    RewriteEngine On
    # Limit requests to admin/forgot endpoint
    RewriteCond %{REQUEST_URI} ^/admin/forgot [NC]
    RewriteCond %{HTTP_COOKIE} !rate_limit_token
    RewriteRule .* - [E=RATE_CHECK:1]
</IfModule>

# Alternative: Use fail2ban to monitor and block excessive requests
# /etc/fail2ban/filter.d/grav-admin.conf
[Definition]
failregex = ^<HOST> .* "POST /admin/forgot.*"

Consider placing the Grav admin panel behind additional authentication layers (such as HTTP Basic Auth or VPN access) to reduce exposure. Network-level controls such as restricting admin panel access to trusted IP ranges can provide defense-in-depth while awaiting the patch deployment.