CVE-2025-66844
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | to 1.7.49.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66844 is a Server-Side Request Forgery (SSRF) vulnerability in the Grav CMS that occurs when Twig templates process page content and the configuration allows undefined PHP functions to be registered. If the configuration option `system.twig.undefined_functions` is enabled, an attacker can exploit this by invoking PHP functions like `curl_exec` or `stream_socket_client` within Twig templates. This enables the attacker to make arbitrary HTTP requests from the server to internal or private network addresses, potentially accessing internal services that should not be exposed. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to make unauthorized HTTP requests from the server to internal or private network endpoints. This can lead to exposure of sensitive internal APIs, metadata services, or other protected resources that are normally inaccessible from outside the network. The impact severity ranges from medium to high depending on the sensitivity of the internal services that can be accessed via SSRF. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSRF vulnerability involves checking if the Grav CMS configuration enables undefined PHP functions in Twig templates (specifically if `system.twig.undefined_functions` is enabled) and if template processing is active. You can inspect the Grav configuration files for this setting. Additionally, monitoring for unusual outgoing HTTP requests from the server to internal IP addresses (e.g., 127.0.0.1) can indicate exploitation attempts. Commands to help detect this include: 1) Checking Grav configuration: `grep -r 'undefined_functions' /path/to/grav/user/config/` 2) Monitoring network connections for suspicious internal requests: `netstat -anp | grep ESTABLISHED` or using `tcpdump` to capture HTTP requests originating from the Grav server to internal IPs, e.g., `tcpdump -i eth0 host 127.0.0.1 and tcp port 80` 3) Reviewing Twig templates for usage of PHP functions like `curl_exec` or `stream_socket_client` that could be exploited. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the configuration option `system.twig.undefined_functions` to prevent undefined PHP functions from being registered and used in Twig templates. Additionally, review and restrict Twig templates to avoid usage of potentially dangerous PHP functions such as `curl_exec` or `stream_socket_client`. Applying strict input validation and sanitization on templates and content processed by Twig is recommended. If possible, update Grav CMS to a version where this vulnerability is patched or apply custom patches to restrict exposure of network-related PHP functions. Monitoring and blocking outgoing requests to internal network addresses from the Grav server can also help mitigate exploitation. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this SSRF vulnerability in Grav CMS affects compliance with common standards and regulations such as GDPR or HIPAA.