Summary
Endpoint: admin/config/system
Submenu: Languages
Parameter: Supported
Application: Grav v 1.7.48
A Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted, such as a single forward slash (/) or an XSS test string, it causes a fatal regular expression parsing error on the server.
This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in the following error:
preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244
Once triggered, the site becomes completely unavailable to all users.
Details
Vulnerable Endpoint:
POST /admin/config/systemSubmenu:
LanguagesParameter:
Supported
The application dynamically constructs a regular expression using the contents of the Supported field without escaping the input using preg_quote() or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.
Stack trace excerpt:
Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244
Proof of Concept (PoC)
Payloads:
/
Steps to Reproduce:
Log into the Grav Admin Panel.
Navigate to: Configuration → System → Languages.
Locate the
Supportedfield.Insert one of the payloads above (e.g., a single slash
/).Click Save.
- Observe: All pages in the application begin throwing a fatal error and become inaccessible.
References
CWE-1333: Improper Regular Expression
CWE-20: Improper Input Validation
Discoverer
by CVE-Hunters
Impact
Application-wide Denial of Service (DoS)
All login and admin views crash with the same error
Potentially exploitable by:
Admin panel users
CSRF if misconfigured
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-66305? CVE-2025-66305 is a high-severity security vulnerability in getgrav/grav (composer), affecting versions < 1.8.0-beta.27. It is fixed in 1.8.0-beta.27.
- Which versions of getgrav/grav are affected by CVE-2025-66305? getgrav/grav (composer) versions < 1.8.0-beta.27 is affected.
- Is there a fix for CVE-2025-66305? Yes. CVE-2025-66305 is fixed in 1.8.0-beta.27. Upgrade to this version or later.
- Is CVE-2025-66305 exploitable, and should I be worried? Whether CVE-2025-66305 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-66305 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-66305? Upgrade
getgrav/gravto 1.8.0-beta.27 or later.