CVE-2025-66305

CVE-2025-66305 is a high-severity security vulnerability in getgrav/grav (composer), affecting versions < 1.8.0-beta.27. It is fixed in 1.8.0-beta.27.

Summary

Endpoint: admin/config/system
Submenu: Languages
Parameter: Supported
Application: Grav v 1.7.48

A Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted, such as a single forward slash (/) or an XSS test string, it causes a fatal regular expression parsing error on the server.

This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in the following error:

preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244

Once triggered, the site becomes completely unavailable to all users.

Details

  • Vulnerable Endpoint: POST /admin/config/system

  • Submenu: Languages

  • Parameter: Supported

The application dynamically constructs a regular expression using the contents of the Supported field without escaping the input using preg_quote() or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.

Stack trace excerpt:

Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244

Proof of Concept (PoC)

Payloads:

/

Steps to Reproduce:

  1. Log into the Grav Admin Panel.

  2. Navigate to: ConfigurationSystemLanguages.

  3. Locate the Supported field.

  4. Insert one of the payloads above (e.g., a single slash /).

  5. Click Save.

  1. Observe: All pages in the application begin throwing a fatal error and become inaccessible.

References

  • CWE-1333: Improper Regular Expression

  • CWE-20: Improper Input Validation

Discoverer

Marcelo Queiroz

by CVE-Hunters

Impact

  • Application-wide Denial of Service (DoS)

  • All login and admin views crash with the same error

  • Potentially exploitable by:

    • Admin panel users

    • CSRF if misconfigured

Affected versions

getgrav/grav (< 1.8.0-beta.27)

Security releases

getgrav/grav → 1.8.0-beta.27 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade getgrav/grav to 1.8.0-beta.27 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-66305? CVE-2025-66305 is a high-severity security vulnerability in getgrav/grav (composer), affecting versions < 1.8.0-beta.27. It is fixed in 1.8.0-beta.27.
  2. Which versions of getgrav/grav are affected by CVE-2025-66305? getgrav/grav (composer) versions < 1.8.0-beta.27 is affected.
  3. Is there a fix for CVE-2025-66305? Yes. CVE-2025-66305 is fixed in 1.8.0-beta.27. Upgrade to this version or later.
  4. Is CVE-2025-66305 exploitable, and should I be worried? Whether CVE-2025-66305 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2025-66305 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2025-66305? Upgrade getgrav/grav to 1.8.0-beta.27 or later.

Other vulnerabilities in getgrav/grav

CVE-2026-55890CVE-2026-55885CVE-2026-44738CVE-2026-44737CVE-2026-42844

Stop the waste.
Protect your environment with Kodem.