ghsa-x62q-p736-3997
Vulnerability from github
Published
2025-12-02 00:36
Modified
2025-12-02 00:36
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
Grav is vulnerable to a DOS on the admin panel
Details

DOS on the admin panel

Severity Rating: Medium

Vector: Denial Of Service

CVE: XXX

CWE: 400 - Uncontrolled Resource Consumption

CVSS Score: 4.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Analysis

A Denial of Service (DoS) vulnerability has been identified in the application related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations.

The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression

Proof of Concept

1) Change the value of scheduled_at parameter to ' as shown in the following figures at the http://127.0.0.1/admin/tools endpoint, and observe the response in the second figure: gravdos2 Figure: Http request on tool endpoint gravdos3 Figure: Http response on tool endpoint

2) When trying to access the admin panel, the panel is broken as shown in the following figure. Additionally, the value change is reflected in the backup.yaml file, as shown in the second figure: gravdos4 Figure: Error message view gravdos5 Figure: Backup.yaml file

Workarounds

No workaround is currently known

Timeline

2024-07-24 Issue identified

2024-09-27 Vendor contacted

About X41 D-Sec GmbH

X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.

Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:36:59Z",
    "nvd_published_at": "2025-12-01T22:15:49Z",
    "severity": "MODERATE"
  },
  "details": "# DOS on the admin panel\n**Severity Rating:** Medium \n\n**Vector:** Denial Of Service\n\n**CVE:** XXX\n\n**CWE:** 400 - Uncontrolled Resource Consumption\n\n**CVSS Score:** 4.9\n\n**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\n\n## Analysis\n\nA Denial of Service (DoS) vulnerability has been identified in the application related to the handling of `scheduled_at` parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the `scheduled_at` parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations.\n\nThe only way to recover from this issue is to manually access the host server and modify the `backup.yaml` file to correct the corrupted cron expression\n\n## Proof of Concept\n\n1) Change the value of `scheduled_at` parameter to `\u0027` as shown in the following figures at the `http://127.0.0.1/admin/tools` endpoint, and observe the response in the second figure:\n  ![gravdos2](https://github.com/user-attachments/assets/b2d8935f-c8ba-4eda-998a-8a20b3d5ef7c)\n  *Figure: Http request on tool endpoint*\n![gravdos3](https://github.com/user-attachments/assets/2a283254-316a-45b3-a5ac-6804e2494cd7)\n  *Figure: Http response on tool endpoint*\n\n2) When trying to access the admin panel, the panel is broken as shown in the following figure. Additionally, the value change is reflected in the `backup.yaml` file, as shown in the second figure:\n  ![gravdos4](https://github.com/user-attachments/assets/1257adcb-96c4-4b30-864e-9aa01e410ded)\n  *Figure: Error message view*\n![gravdos5](https://github.com/user-attachments/assets/4cef7c49-6a1e-4414-8332-3195aa2dfc77)\n  *Figure: Backup.yaml file*\n\n\n## Workarounds\nNo workaround is currently known\n\n# Timeline\n**2024-07-24** Issue identified\n\n**2024-09-27** Vendor contacted\n\n\n# About X41 D-Sec GmbH\nX41 is an expert provider for application security services.\nHaving extensive industry experience and expertise in the area of information\nsecurity, a strong core security team of world class security experts enables\nX41 to perform premium security services.\n\nFields of expertise in the area of application security are security centered\ncode reviews, binary reverse engineering and vulnerability discovery.\nCustom research and IT security consulting and support services are core\ncompetencies of X41.",
  "id": "GHSA-x62q-p736-3997",
  "modified": "2025-12-02T00:36:59Z",
  "published": "2025-12-02T00:36:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66303"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav is vulnerable to a DOS on the admin panel"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.