ghsa-j422-qmxp-hv94
Vulnerability from github
Published
2025-12-02 00:38
Modified
2025-12-02 00:38
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Summary
Grav vulnerable to Path Traversal allowing server files backup
Details

Summary

A path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application.

PoC

``` To accurately demonstrate the maximum potential impact of this vulnerability, the testing environment was configured in a specific way:

  • Elevated Privileges: The application was run locally with the highest possible system privileges, operating under the root user account.

  • Objective: This configuration was chosen to unequivocally show that the path traversal vulnerability is not just a theoretical issue but can lead to a complete compromise of the underlying host when combined with poor operational practices. The ability to read any file on the system is the ultimate test of the flaw's severity.

Proof of Concept Goal: Under these conditions, the subsequent PoC will exploit the vulnerability to read the SSH private key of the root user (/root/.ssh/id_rsa). The successful exfiltration of this key represents a worst-case scenario, as it would provide an attacker with persistent, undetectable, and complete administrative access to the host server. This highlights the critical intersection of an application-layer vulnerability and a infrastructure-level misconfiguration.

```

``` 1- LOGIN AS ADMIN AND GO TO : http://127.0.0.1/admin/tools/backups 2- Change 'Root Folder' to backup directory /../../../../../../../root/.ssh/

``` Screenshot 2025-09-11 161519

3- CLICK : 'SAVE' 4- CLICK : 'Backup Now'

Screenshot 2025-09-11 154151

5- Extract Backup :

Screenshot 2025-09-11 160114 Screenshot 2025-09-11 160135

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:38:41Z",
    "nvd_published_at": "2025-12-01T22:15:49Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n```\nA path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers\n with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due\n to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling\n access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of \nthe user account running the application.\n```\n\n### PoC\n```\nTo accurately demonstrate the maximum potential impact of this vulnerability, the testing environment was configured in a specific way:\n\n- Elevated Privileges: The application was run locally with the highest possible system privileges, operating under the **`root`** user account.\n    \n- Objective: This configuration was chosen to unequivocally show that the path traversal vulnerability is not just a theoretical issue but can lead to a complete compromise of the underlying host when combined with poor operational practices. The ability to read any file on the system is the ultimate test of the flaw\u0027s severity.\n    \n\nProof of Concept Goal: Under these conditions, the subsequent PoC will exploit the vulnerability to read the SSH private key\n of the `root` user (`/root/.ssh/id_rsa`). The successful exfiltration of this key represents a worst-case scenario, as it would provide \nan attacker with persistent, undetectable, and complete administrative access to the host server. This highlights the critical intersection\n of an application-layer vulnerability and a infrastructure-level misconfiguration.\n\n```\n\n\n\n\n```\n1- LOGIN AS ADMIN AND  GO TO  : http://127.0.0.1/admin/tools/backups\n2- Change \u0027Root Folder\u0027 to backup directory /../../../../../../../root/.ssh/ \n\n```\n\u003cimg width=\"1902\" height=\"492\" alt=\"Screenshot 2025-09-11 161519\" src=\"https://github.com/user-attachments/assets/23a60dc3-7758-4e24-b910-e66a1dd1f5e2\" /\u003e\n\n\n\n```\n3- CLICK  : \u0027SAVE\u0027\n4- CLICK  : \u0027Backup Now\u0027\n```\n\n\u003cimg width=\"1916\" height=\"512\" alt=\"Screenshot 2025-09-11 154151\" src=\"https://github.com/user-attachments/assets/88a63ff2-777e-467e-857b-0644ef698499\" /\u003e\n\n```\n5- Extract Backup :\n```\n\n\n\u003cimg width=\"704\" height=\"101\" alt=\"Screenshot 2025-09-11 160114\" src=\"https://github.com/user-attachments/assets/b91ce4db-9843-4280-b8f0-32c73aa12d4d\" /\u003e\n\u003cimg width=\"567\" height=\"101\" alt=\"Screenshot 2025-09-11 160135\" src=\"https://github.com/user-attachments/assets/155ce7d8-c2fc-4b54-b054-f7c7550bec82\" /\u003e",
  "id": "GHSA-j422-qmxp-hv94",
  "modified": "2025-12-02T00:38:41Z",
  "published": "2025-12-02T00:38:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66302"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav vulnerable to Path Traversal allowing server files backup"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.