GHSA-gwfr-jfjf-92vv: Grav has Insecure Deserialization in File Cache

Insecure Deserialization in File Cache

  • Severity: High
  • CWE: CWE-502
  • Location: system/src/Grav/Framework/Cache/Adapter/FileCache.php
  • Sink: unserialize($value, ['allowed_classes' => true])

Affected version(s)

  • Affected: >= 1.7.44 and <= 1.7.49.5 (verified in current codebase and changelog-covered releases).
  • Fixed: No upstream fix identified in the reviewed branch at the time of analysis.
  • Notes: Earlier 1.7.x releases may also be affected, but were not fully back-traced in this review.

Notes

allowed_classes => true allows object instantiation and does not constrain classes.

PoC (Primitive Demonstration)

Preconditions

  • Local PHP runtime.
  • Goal is to validate the deserialization primitive used in cache retrieval.

Steps

php -r '
class CacheWakeup { public function __wakeup(){ file_put_contents("/tmp/grav_filecache_poc.txt", "wakeup"); } }

$payload = serialize(new CacheWakeup());
unserialize($payload, ["allowed_classes" => true]);

echo file_exists("/tmp/grav_filecache_poc.txt") ? "FILECACHE_UNSERIALIZE_TRIGGERED\n" : "FILECACHE_UNSERIALIZE_NOT_TRIGGERED\n";
'

Expected Result

  • Output contains: FILECACHE_UNSERIALIZE_TRIGGERED.

Interpretation

This reproduces the same unsafe primitive used by FileCache::doGet(): unserialize($value, ['allowed_classes' => true]). If cache files are attacker-tampered, object magic methods may execute.

Exploit Preconditions

  • Cache file poisoning/tampering capability.

Recommendation

  • Avoid object deserialization in cache payloads.
  • Use non-object formats and integrity protection for cache files.

Maintainer note — fix applied (2026-04-24)

Fixed in Grav core on the 2.0 branch: commit c66dfeb5f — will ship in 2.0.0-beta.2.

What changed: Framework\Cache\Adapter\FileCache now HMAC-signs every cache payload with Security::getNonceKey() on write, and verifies the HMAC on read. Tampered, forged, or pre-upgrade files are treated as cache misses and unlinked instead of being unserialized. The on-disk format is now versioned:

v2
<expires>
<key>
<hmac-hex>
<serialized>

Existing caches rebuild transparently on first read. Note that Framework\Cache\Adapter\FileCache isn’t wired into Grav’s main cache path — Symfony’s FilesystemAdapter is — but the class is reachable by plugin and downstream consumers, so the hardening applies defensively.

References

Code Behaviors & Features

Detect and mitigate GHSA-gwfr-jfjf-92vv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →