GHSA-h756-wh59-hhjv

Source

https://github.com/advisories/GHSA-h756-wh59-hhjv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-h756-wh59-hhjv/GHSA-h756-wh59-hhjv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h756-wh59-hhjv

Aliases

CVE-2025-66295

Published

2025-12-02T01:23:05Z

Modified

2025-12-02T01:57:44.653155Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption

Details

Summary

When a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofasecret, and hashedpassword. In my tests, I was able to cause the Admin UI to write the following content into arbitrary .yaml files (including files like email.yaml, system.yaml, or other site YAML files like admin.yaml) — demonstrating arbitrary YAML write / overwrite via the Admin UI.

Example observed content written by the Admin UI (test data): username: ..\Nijat state: enabled email: EMAIL@gmail.com fullname: 'Nijat Alizada' language: en contenteditor: default twofaenabled: false twofasecret: RWVEIHC2AFVD6FCR6UHCO3DS4HWXKKDT avatar: { } hashedpassword: $2y$10$wl9Ktv3vUmDKCt8o6u2oOuRZr1I04OE0YZf2sJ1QcAherbNnk1XVC access: site: login: true

Steps to Reproduce

Log in to the Grav Admin UI as an administrator.
Create a new user with the following values (example): a. Username: ..\POC-TOKEN-2025-09-29 b. Fullname: POC-TOKEN-2025-09-29 c. Email: poc+2025-09-29@example.test d. Password: (any password) Observe that a YAML file containing the POC-TOKEN is written outside user/accounts/ (for example in the parent directory of user/accounts)

Impact

Config corruption / service disruption: Overwriting system.yaml, email.yaml, or plugin config files with attacker-controlled YAML (even if limited to fields present in account YAML) could break functionality, disable services, or cause misconfiguration requiring recovery from backups.
Account takeover, any user with create user privilege can modify other user's email and password by just creating a new user with the name "..\accounts\USERNAMEOFVICTIM"

Proof of Concept

https://github.com/user-attachments/assets/cf503d74-f765-4031-8e22-71f6b3630847

Database specific

{
    "severity": "HIGH",
    "nvd_published_at": "2025-12-01T21:15:53Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T01:23:05Z"
}

References

Affected packages

Packagist / getgrav/grav

Package

Name: getgrav/grav
Purl: pkg:composer/getgrav/grav

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.0-beta.27

Affected versions

0.*

0.8.0

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

0.9.11

0.9.12

0.9.13

0.9.14

0.9.15

0.9.16

0.9.17

0.9.18

0.9.19

0.9.20

0.9.21

0.9.22

0.9.23

0.9.24

0.9.25

0.9.26

0.9.27

0.9.28

0.9.29

0.9.30

0.9.31

0.9.32

0.9.33

0.9.34

0.9.35

0.9.36

0.9.37

0.9.38

0.9.39

0.9.40

0.9.41

0.9.42

0.9.43

0.9.44

0.9.45

1.*

1.0.0-rc.1

1.0.0-rc.2

1.0.0-rc.3

1.0.0-rc.4

1.0.0-rc.5

1.0.0-rc.6

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.1.0-beta.1

1.1.0-beta.2

1.1.0-beta.3

1.1.0-beta.4

1.1.0-beta.5

1.1.0-rc.1

1.1.0-rc.2

1.1.0-rc.3

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9-rc.1

1.1.9-rc.2

1.1.9-rc.3

1.1.9

1.1.10

1.1.11

1.1.12

1.1.13

1.1.14

1.1.15

1.1.16

1.1.17

1.2.0-rc.1

1.2.0-rc.2

1.2.0-rc.3

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0-rc.1

1.3.0-rc.2

1.3.0-rc.3

1.3.0-rc.4

1.3.0-rc.5

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.4.0-beta.1

1.4.0-beta.2

1.4.0-beta.3

1.4.0-rc.1

1.4.0-rc.2

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.5.0-beta.1

1.5.0-beta.2

1.5.0-rc.1

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.6.0-beta.1

1.6.0-beta.2

1.6.0-beta.3

1.6.0-beta.4

1.6.0-beta.5

1.6.0-beta.6

1.6.0-beta.7

1.6.0-beta.8

1.6.0-rc.1

1.6.0-rc.2

1.6.0-rc.3

1.6.0-rc.4

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

1.6.17

1.6.18

1.6.19

1.6.20

1.6.21

1.6.22

1.6.23

1.6.24

1.6.25

1.6.26

1.6.27

1.6.28

1.6.29

1.6.30

1.6.31

1.7.0-beta.1

1.7.0-beta.2

1.7.0-beta.3

1.7.0-beta.4

1.7.0-beta.5

1.7.0-beta.6

1.7.0-beta.7

1.7.0-beta.8

1.7.0-beta.9

1.7.0-beta.10

1.7.0-rc.1

1.7.0-rc.2

1.7.0-rc.3

1.7.0-rc.4

1.7.0-rc.5

1.7.0-rc.6

1.7.0-rc.7

1.7.0-rc.8

1.7.0-rc.9

1.7.0-rc.10

1.7.0-rc.11

1.7.0-rc.12

1.7.0-rc.13

1.7.0-rc.14

1.7.0-rc.15

1.7.0-rc.16

1.7.0-rc.17

1.7.0-rc.18

1.7.0-rc.19

1.7.0-rc.20

1.7.0

1.7.1

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

1.7.10

1.7.12

1.7.13

1.7.14

1.7.15

1.7.16

1.7.17

1.7.18

1.7.19

1.7.20

1.7.21

1.7.22

1.7.23

1.7.24

1.7.25

1.7.26

1.7.26.1

1.7.27

1.7.27.1

1.7.28

1.7.29

1.7.29.1

1.7.30

1.7.31

1.7.32

1.7.33

1.7.34

1.7.35

1.7.36

1.7.37

1.7.37.1

1.7.38

1.7.39

1.7.39.1

1.7.39.2

1.7.39.3

1.7.39.4

1.7.40

1.7.41

1.7.41.1

1.7.41.2

1.7.42

1.7.42.1

1.7.42.2

1.7.42.3

1.7.43

1.7.44

1.7.45

1.7.46

1.7.47

1.7.48

1.7.49

1.7.49.1

1.7.49.2

1.7.49.3

1.7.49.4

1.7.49.5

1.8.0-beta.1

1.8.0-beta.2

1.8.0-beta.3

1.8.0-beta.4

1.8.0-beta.5

1.8.0-beta.6

1.8.0-beta.7

1.8.0-beta.8

1.8.0-beta.9

1.8.0-beta.10

1.8.0-beta.11

1.8.0-beta.12

1.8.0-beta.13

1.8.0-beta.14

1.8.0-beta.15

1.8.0-beta.16

1.8.0-beta.17

1.8.0-beta.18

1.8.0-beta.19

1.8.0-beta.20

1.8.0-beta.21

1.8.0-beta.22

1.8.0-beta.23

1.8.0-beta.24

1.8.0-beta.25

1.8.0-beta.26