ghsa-m8vh-v6r6-w7p6
Vulnerability from github
Published
2025-12-02 00:46
Modified
2025-12-02 00:46
Severity ?
8.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Summary
Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
Details

Endpoint: admin/config/system
Submenu: Languages
Parameter: Supported
Application: Grav v 1.7.48

Summary

A Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server.

This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in the following error:

preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244

Once triggered, the site becomes completely unavailable to all users.

Details

  • Vulnerable Endpoint: POST /admin/config/system

  • Submenu: Languages

  • Parameter: Supported

The application dynamically constructs a regular expression using the contents of the Supported field without escaping the input using preg_quote() or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.

Stack trace excerpt:

Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244

Proof of Concept (PoC)

Payloads:

/

Steps to Reproduce:

  1. Log into the Grav Admin Panel.

  2. Navigate to: ConfigurationSystemLanguages.

  3. Locate the Supported field.

  4. Insert one of the payloads above (e.g., a single slash /).

  5. Click Save.

Pasted image 20250719183223

  1. Observe: All pages in the application begin throwing a fatal error and become inaccessible.

Pasted image 20250719175229

Impact

  • Application-wide Denial of Service (DoS)

  • All login and admin views crash with the same error

  • Potentially exploitable by:

    • Admin panel users

    • CSRF if misconfigured

References

  • CWE-1333: Improper Regular Expression

  • CWE-20: Improper Input Validation

Discoverer

Marcelo Queiroz

by CVE-Hunters

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:46:05Z",
    "nvd_published_at": "2025-12-01T22:15:50Z",
    "severity": "HIGH"
  },
  "details": "**Endpoint**: `admin/config/system`  \n**Submenu**: `Languages`  \n**Parameter**: `Supported`  \n**Application**: Grav v 1.7.48\n\n---\n\n## Summary\n\nA Denial of Service (DoS) vulnerability was identified in the **\"Languages\"** submenu of the Grav **admin configuration panel** (`/admin/config/system`). Specifically, the `Supported` parameter fails to properly validate user input. If a malformed value is inserted\u2014such as a single forward slash (`/`) or an XSS test string\u2014it causes a fatal regular expression parsing error on the server.\n\nThis leads to application-wide failure due to the use of the `preg_match()` function with an **improperly constructed regular expression**, resulting in the following error:\n\n`preg_match(): Unknown modifier \u0027o\u0027 File: /system/src/Grav/Common/Language/Language.php line 244`\n\nOnce triggered, the site becomes completely unavailable to all users.\n\n---\n\n## Details\n\n- **Vulnerable Endpoint**: `POST /admin/config/system`\n    \n- **Submenu**: `Languages`\n    \n- **Parameter**: `Supported`  \n    \n\nThe application dynamically constructs a regular expression using the contents of the `Supported` field without escaping the input using `preg_quote()` or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.\n\n**Stack trace excerpt**:\n\n`Whoops \\ Exception \\ ErrorException (E_WARNING) preg_match(): Unknown modifier \u0027o\u0027 /system/src/Grav/Common/Language/Language.php244`\n\n---\n\n## Proof of Concept (PoC)\n\n### Payloads:\n\n`/ `\n\n### Steps to Reproduce:\n\n1. Log into the Grav Admin Panel.\n    \n2. Navigate to: **Configuration** \u2192 **System** \u2192 **Languages**.\n    \n3. Locate the `Supported` field.\n    \n4. Insert one of the payloads above (e.g., a single slash `/`).\n    \n5. Click **Save**.\n\n\u003cimg width=\"1897\" height=\"639\" alt=\"Pasted image 20250719183223\" src=\"https://github.com/user-attachments/assets/d3a54a20-d30d-46c6-9015-722f80701cfb\" /\u003e\n\n1. Observe: All pages in the application begin throwing a fatal error and become inaccessible.\n\n\u003cimg width=\"1802\" height=\"998\" alt=\"Pasted image 20250719175229\" src=\"https://github.com/user-attachments/assets/b16750c2-507f-4c30-a9bb-d07fa92bb777\" /\u003e\n\n---\n\n## Impact\n\n- Application-wide Denial of Service (DoS)\n    \n- All login and admin views crash with the same error\n    \n- Potentially exploitable by:\n    \n    - Admin panel users\n        \n    - CSRF if misconfigured        \n    \n\n---\n\n## References\n\n- **CWE-1333**: Improper Regular Expression\n    \n- **CWE-20**: Improper Input Validation\n\n\n## Discoverer\n\n[Marcelo Queiroz](www.linkedin.com/in/marceloqueirozjr) \n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)",
  "id": "GHSA-m8vh-v6r6-w7p6",
  "modified": "2025-12-02T00:46:05Z",
  "published": "2025-12-02T00:46:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grav vulnerable to Denial of Service via Improper Input Handling in \u0027Supported\u0027 Parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.