PT-2026-39164 — Remote Code Execution in Packagist Getgrav/Grav

PT-2026-39164 · Packagist · Getgrav/Grav

Published

2026-05-05

Updated

2026-05-05

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Insecure Deserialization in File Cache

Severity: High
CWE: CWE-502
Location: system/src/Grav/Framework/Cache/Adapter/FileCache.php
Sink: unserialize($value, ['allowed classes' => true])

Affected version(s)

Affected: >= 1.7.44 and <= 1.7.49.5 (verified in current codebase and changelog-covered releases).
Fixed: No upstream fix identified in the reviewed branch at the time of analysis.
Notes: Earlier 1.7.x releases may also be affected, but were not fully back-traced in this review.

Notes

allowed classes => true allows object instantiation and does not constrain classes.

PoC (Primitive Demonstration)

Preconditions

Local PHP runtime.
Goal is to validate the deserialization primitive used in cache retrieval.

Steps

bash

php -r '
class CacheWakeup { public function  wakeup(){ file put contents("/tmp/grav filecache poc.txt", "wakeup"); } }

$payload = serialize(new CacheWakeup());
unserialize($payload, ["allowed classes" => true]);

echo file exists("/tmp/grav filecache poc.txt") ? "FILECACHE UNSERIALIZE TRIGGERED
" : "FILECACHE UNSERIALIZE NOT TRIGGERED
";
'

Expected Result

Output contains: FILECACHE UNSERIALIZE TRIGGERED.

Interpretation

This reproduces the same unsafe primitive used by FileCache::doGet(): unserialize($value, ['allowed classes' => true]). If cache files are attacker-tampered, object magic methods may execute.

Exploit Preconditions

Cache file poisoning/tampering capability.

Recommendation

Avoid object deserialization in cache payloads.
Use non-object formats and integrity protection for cache files.

Maintainer note — fix applied (2026-04-24)

Fixed in Grav core on the 2.0 branch: commit c66dfeb5f — will ship in 2.0.0-beta.2.

What changed: FrameworkCacheAdapterFileCache now HMAC-signs every cache payload with Security::getNonceKey() on write, and verifies the HMAC on read. Tampered, forged, or pre-upgrade files are treated as cache misses and unlinked instead of being unserialized. The on-disk format is now versioned:

v2
<expires>
<key>
<hmac-hex>
<serialized>

Existing caches rebuild transparently on first read. Note that FrameworkCacheAdapterFileCache isn't wired into Grav's main cache path — Symfony's FilesystemAdapter is — but the class is reachable by plugin and downstream consumers, so the hardening applies defensively.

Files:

system/src/Grav/Framework/Cache/Adapter/FileCache.php.
tests/unit/Grav/Common/Security/FileCacheSecurityTest.php — round-trip, tampered-payload rejection, wrong-key forgery rejection, pre-v2 file rebuild, key-field mismatch.

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-502

Related Identifiers

GHSA-GWFR-JFJF-92VV

Affected Products

Getgrav/Grav