CVE-2025-66305: Denial of Service via Improper Input Handling in Supported Parameter
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-66305
Summary
A Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server.
Details
The application dynamically constructs a regular expression using the contents of the Supported field without escaping the input using preg_quote() or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.
Stack trace excerpt:
Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244
PoC
Vulnerable Endpoint: POST /admin/config/system
Submenu: Languages
Parameter: Supported
- Log into the Grav Admin Panel.
- Navigate to: Configuration → System → Languages.
- Locate the
Supportedfield. - Insert a payload (e.g., a single slash
/). - Click Save.
- Observe: All pages in the application begin throwing a fatal error and become inaccessible.
Impact
- Application-wide Denial of Service (DoS).
- All login and admin views crash with the same error.
- Potentially exploitable by: Admin panel users; CSRF if misconfigured.
Reference
https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6
Finder
By: CVE-Hunters