CVE-2025-66305
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-01

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is insertedβ€”such as a single forward slash (/) or an XSS test stringβ€”it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-01
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-12-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66305
Affected Vendors & Products
Showing 27 associated CPEs
Vendor Product Version / Range
getgrav grav From 1.7.48 (inc) to 1.8.0 (exc)
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Denial of Service (DoS) issue in the Grav web platform before version 1.8.0-beta.27. It occurs in the 'Languages' submenu of the Grav admin configuration panel, where the 'Supported' parameter does not properly validate user input. If a malformed value, such as a single forward slash (/) or an XSS test string, is entered, it causes a fatal regular expression parsing error on the server. This error leads to application-wide failure, making the site completely unavailable to all users.

Impact Analysis

The vulnerability can cause the entire Grav site to become unavailable to all users due to a fatal error triggered by malformed input in the admin panel. This results in a Denial of Service, preventing legitimate users from accessing the site or its services.

Mitigation Strategies

Upgrade Grav to version 1.8.0-beta.27 or later, as this version contains the fix for the Denial of Service vulnerability in the Languages submenu of the admin configuration panel.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66305. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart