Grav Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Grav versions prior to 1.7.49.5. This vulnerability can be exploited through Twig templates when the page content is processed by Twig, and the configuration permits undefined PHP functions to be registered at runtime. Under these conditions, an attacker could use functions like curl_* or stream_socket_client to make requests to internal addresses, such as 127.0.0.1:80.

Impact

Exploitation of this vulnerability allows an attacker to make server-side requests to internal network endpoints, potentially leading to exposure of sensitive resources, internal APIs, or metadata services. The severity of the impact can range from medium to high, depending on the sensitivity of the accessed internal services.

Reproduction

To reproduce this vulnerability, create a Twig template that includes a payload using an allowed undefined function, such as curl_exec. Ensure that the Grav configuration allows undefined functions and that the template is processed with Twig. When the payload is executed, it will make a request to an internal address, demonstrating the SSRF vulnerability.