CVE-2025-66305
- Source
- https://cve.org/CVERecord?id=CVE-2025-66305
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66305.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-66305
- Aliases
- Published
- 2025-12-01T21:43:29.725Z
- Modified
- 2026-03-02T08:04:24.044626Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
- Details
-
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27.
- Database specific
{ "cwe_ids": [ "CWE-248" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66305.json" }- References
Affected packages
Git / github.com/getgrav/grav
Affected versions
1.*
1.7.48
1.7.49
1.7.49.1
1.7.49.2
1.7.49.3
1.7.49.4
1.8.0-beta.1
1.8.0-beta.10
1.8.0-beta.11
1.8.0-beta.12
1.8.0-beta.13
1.8.0-beta.14
1.8.0-beta.15
1.8.0-beta.16
1.8.0-beta.17
1.8.0-beta.18
1.8.0-beta.19
1.8.0-beta.2
1.8.0-beta.20
1.8.0-beta.21
1.8.0-beta.22
1.8.0-beta.23
1.8.0-beta.24
1.8.0-beta.25
1.8.0-beta.26
1.8.0-beta.3
1.8.0-beta.4
1.8.0-beta.5
1.8.0-beta.6
1.8.0-beta.7
1.8.0-beta.8
1.8.0-beta.9