Headline

GHSA-m8vh-v6r6-w7p6: Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter

Endpoint: admin/config/system
Submenu: Languages
Parameter: Supported
Application: Grav v 1.7.48

Summary

A Denial of Service (DoS) vulnerability was identified in the “Languages” submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server.

This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in the following error:

preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244

Once triggered, the site becomes completely unavailable to all users.

Details

Vulnerable Endpoint: POST /admin/config/system
Submenu: Languages
Parameter: Supported

The application dynamically constructs a regular expression using the contents of the Supported field without escaping the input using preg_quote() or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.

Stack trace excerpt:

Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244

Proof of Concept (PoC)

Payloads:

/

Steps to Reproduce:

Log into the Grav Admin Panel.
Navigate to: Configuration → System → Languages.
Locate the Supported field.
Insert one of the payloads above (e.g., a single slash /).
Click Save.

Observe: All pages in the application begin throwing a fatal error and become inaccessible.

Impact

Application-wide Denial of Service (DoS)
All login and admin views crash with the same error
Potentially exploitable by:
- Admin panel users
- CSRF if misconfigured

References

CWE-1333: Improper Regular Expression
CWE-20: Improper Input Validation

Discoverer

Marcelo Queiroz

by CVE-Hunters

6 hours ago

ghsa

Open in Source

#xss #csrf #vulnerability #dos #git #php #perl

Endpoint: admin/config/system
Submenu: Languages
Parameter: Supported
Application: Grav v 1.7.48

Summary

A Denial of Service (DoS) vulnerability was identified in the “Languages” submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server.

This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in the following error:

preg_match(): Unknown modifier ‘o’ File: /system/src/Grav/Common/Language/Language.php line 244

Once triggered, the site becomes completely unavailable to all users.

Details

Vulnerable Endpoint: POST /admin/config/system
Submenu: Languages
Parameter: Supported

The application dynamically constructs a regular expression using the contents of the Supported field without escaping the input using preg_quote() or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.

Stack trace excerpt:

Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier ‘o’ /system/src/Grav/Common/Language/Language.php244

Proof of Concept (PoC)****Payloads:

Steps to Reproduce: