CVE-2025-66300: Grav is vulnerable to Arbitrary File Read

December 2, 2025

A low privilege user account with page editing privilege can read any server files using “Frontmatter” form.
This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.
This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-66300 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →