CVE-2023-37897

CVE-2023-37897 is a high-severity security vulnerability in getgrav/grav (composer), affecting versions <= 1.7.42.1. It is fixed in 1.7.42.2.

Summary

The fix for SSTI using |map, |filter and |reduce twigs implemented in the commit 71bbed1 introduces bypass of the denylist due to incorrect return value from isDangerousFunction(), which allows to execute the payload prepending double backslash (\\)

Details

The isDangerousFunction() check in version 1.7.42 and onwards retuns false value instead of true when the \ symbol is found in the $name.

...
        if (strpos($name, "\\") !== false) {
            return false;
        }

        if (in_array($name, $commandExecutionFunctions)) {
            return true;
        }
...

Based on the code where the function is used, it is expected that any dangerous condition would return true

    /**
     * @param Environment $env
     * @param array $array
     * @param callable|string $arrow
     * @return array|CallbackFilterIterator
     * @throws RuntimeError
     */
    function mapFunc(Environment $env, $array, $arrow)
    {
        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
            throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
	}

when |map('\system') is used in the malicious payload, the single backslash is dropped prior to reaching strpos($name, '\\') check, thus $name variable already has no backslash, and the command is blacklisted because it reaches the if (in_array($name, $commandExecutionFunctions)) { validation step.

However if |map('\\system') is used (i.e. double backslash), then the strpos($name, "\\") !== false takes effect, and isDangerousFunction() returns false , in which case the RuntimeError is not generated, and blacklist is bypassed leading to code execution.

Exploit Conditions

This vulnerability can be exploited if the attacker has access to:

  1. an Administrator account, or
  2. a non-administrator, user account that has Admin panel access and Create/Update page permissions

Steps to reproduce

  1. Log in to Grav Admin using an administrator account.
  2. Navigate to Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:
    • Login to Admin - Allowed
    • Page Update - Allowed
  3. Log out of Grav Admin
  4. Login using the account created in step 2.
  5. Choose Pages -> Home
  6. Click the Advanced tab and select the checkbox beside Twig to ensure that Twig processing is enabled for the modified webpage.
  7. Under the Content tab, insert the following payload within the editor:

{{ ['id'] | map('\\system') | join() }}
8. Click the Preview button. Observe that the output of the id shell command is returned in the preview.

Mitigation

diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
index 2f121bbe3..7b267cd0f 100644
--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@@ -2069,7 +2069,7 @@ abstract class Utils
         }
 
         if (strpos($name, "\\") !== false) {
-            return false;
+            return true;
         }
 
         if (in_array($name, $commandExecutionFunctions)) {
                                                                         

Impact

CVE-2023-37897 has a CVSS score of 7.2 (High). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.7.42.2); upgrading removes the vulnerable code path.

Affected versions

getgrav/grav (<= 1.7.42.1)

Security releases

getgrav/grav → 1.7.42.2 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade getgrav/grav to 1.7.42.2 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2023-37897? CVE-2023-37897 is a high-severity security vulnerability in getgrav/grav (composer), affecting versions <= 1.7.42.1. It is fixed in 1.7.42.2.
  2. How severe is CVE-2023-37897? CVE-2023-37897 has a CVSS score of 7.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of getgrav/grav are affected by CVE-2023-37897? getgrav/grav (composer) versions <= 1.7.42.1 is affected.
  4. Is there a fix for CVE-2023-37897? Yes. CVE-2023-37897 is fixed in 1.7.42.2. Upgrade to this version or later.
  5. Is CVE-2023-37897 exploitable, and should I be worried? Whether CVE-2023-37897 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2023-37897 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2023-37897? Upgrade getgrav/grav to 1.7.42.2 or later.

Other vulnerabilities in getgrav/grav

Other vulnerabilities in getgrav/grav

Stop the waste.
Protect your environment with Kodem.