CVE-2026-53653
Deferred Deferred - Pending Action

Memory Exhaustion in Grav via Image Derivatives

Vulnerability report for CVE-2026-53653, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Grav is a file-based Web platform. Prior to 1.7.53 and 2.0.0-rc.8, Grav allows an unauthenticated visitor to exhaust server memory and CPU by requesting image derivatives with oversized dimensions through URL query image actions such as forceResize in Grav::fallbackUrl, which passes request parameters to ImageMedium magic actions without a dimension or pixel ceiling. This issue is fixed in versions 1.7.53 and 2.0.0-rc.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
grav grav to 1.7.53|end_excluding=2.0.0-rc.8 (exc)
getgrav grav to 1.7.53 (inc)
getgrav grav to 2.0.0-rc.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53653 is a vulnerability in the Grav CMS platform that allows unauthenticated attackers to cause a denial of service by exhausting server memory and CPU resources.

The issue arises when an attacker requests image derivatives with extremely large resize dimensions through URL query parameters such as forceResize. Grav processes these parameters without any upper limit on image dimensions, causing the underlying image processing libraries (like GD) to allocate large amounts of memory outside PHP's memory management.

A single malicious request can consume several gigabytes of RAM and tens of seconds of CPU time, and multiple concurrent requests can crash the server entirely. This happens because the server does not validate or clamp the requested image dimensions before processing.

The vulnerability is fixed in Grav versions 1.7.53 and 2.0.0-rc.8 by disabling URL-based image transformations by default and introducing configurable limits on maximum image dimensions and pixel counts.

Compliance Impact

The vulnerability CVE-2026-53653 allows unauthenticated attackers to cause a denial of service by exhausting server memory and CPU resources through unbounded image resizing requests. This can lead to server crashes and service unavailability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial of service vulnerabilities can indirectly impact compliance by causing service interruptions, potentially affecting availability requirements under these regulations.

However, there is no direct information provided about how this vulnerability specifically affects compliance with common standards and regulations.

Impact Analysis

This vulnerability can severely impact the availability and stability of your Grav CMS server.

An attacker can exploit it without authentication by sending specially crafted requests that cause the server to allocate excessive memory and CPU resources.

The result can be a denial of service (DoS), where the server becomes unresponsive or crashes due to resource exhaustion.

This can disrupt legitimate user access, cause downtime, and potentially lead to loss of service or data if the server is not properly managed.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests that include image resize query parameters with unusually large dimensions, such as URLs containing parameters like ?forceResize= or ?resize= with very high width and height values.

For example, you can search your web server logs for requests matching patterns like:

  • grep -E "forceResize=[0-9]{4,},[0-9]{4,}" access.log
  • grep -E "resize=[0-9]{5,},[0-9]{5,}" access.log

Additionally, monitoring server resource usage spikes (CPU and memory) correlated with such requests can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include upgrading Grav CMS to version 1.7.53 or later, or 2.0.0-rc.8 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, you can disable URL-based image transformations by setting the configuration option `system.images.url_actions` to false, which disables image resizing via URL query parameters.

Additionally, configure the `system.images.max_pixels` setting to limit the maximum allowed pixel count for image resizing requests (default is 25,000,000 pixels). This prevents requests with excessively large dimensions from being processed.

These configuration changes prevent unauthenticated attackers from exhausting server memory and CPU by requesting oversized image derivatives.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53653. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart