Insecure Deserialization in File Cache
- Severity: High
- CWE: CWE-502
- Location:
system/src/Grav/Framework/Cache/Adapter/FileCache.php
- Sink:
unserialize($value, ['allowed_classes' => true])
Affected version(s)
- Affected:
>= 1.7.44 and <= 1.7.49.5 (verified in current codebase and changelog-covered releases).
- Fixed: No upstream fix identified in the reviewed branch at the time of analysis.
- Notes: Earlier
1.7.x releases may also be affected, but were not fully back-traced in this review.
Notes
allowed_classes => true allows object instantiation and does not constrain classes.
PoC (Primitive Demonstration)
Preconditions
- Local PHP runtime.
- Goal is to validate the deserialization primitive used in cache retrieval.
Steps
php -r '
class CacheWakeup { public function __wakeup(){ file_put_contents("/tmp/grav_filecache_poc.txt", "wakeup"); } }
$payload = serialize(new CacheWakeup());
unserialize($payload, ["allowed_classes" => true]);
echo file_exists("/tmp/grav_filecache_poc.txt") ? "FILECACHE_UNSERIALIZE_TRIGGERED\n" : "FILECACHE_UNSERIALIZE_NOT_TRIGGERED\n";
'Expected Result
- Output contains:
FILECACHE_UNSERIALIZE_TRIGGERED.
Interpretation
This reproduces the same unsafe primitive used by FileCache::doGet():
unserialize($value, ['allowed_classes' => true]).
If cache files are attacker-tampered, object magic methods may execute.
Exploit Preconditions
- Cache file poisoning/tampering capability.
Recommendation
- Avoid object deserialization in cache payloads.
- Use non-object formats and integrity protection for cache files.
Maintainer note — fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit c66dfeb5f — will ship in 2.0.0-beta.2.
What changed: Framework\Cache\Adapter\FileCache now HMAC-signs every cache payload with Security::getNonceKey() on write, and verifies the HMAC on read. Tampered, forged, or pre-upgrade files are treated as cache misses and unlinked instead of being unserialized. The on-disk format is now versioned:
v2
<expires>
<key>
<hmac-hex>
<serialized>
Existing caches rebuild transparently on first read. Note that Framework\Cache\Adapter\FileCache isn't wired into Grav's main cache path — Symfony's FilesystemAdapter is — but the class is reachable by plugin and downstream consumers, so the hardening applies defensively.
Files:
References
devsamuelsantiago Reporter
Insecure Deserialization in File Cache
system/src/Grav/Framework/Cache/Adapter/FileCache.phpunserialize($value, ['allowed_classes' => true])Affected version(s)
>= 1.7.44and<= 1.7.49.5(verified in current codebase and changelog-covered releases).1.7.xreleases may also be affected, but were not fully back-traced in this review.Notes
allowed_classes => trueallows object instantiation and does not constrain classes.PoC (Primitive Demonstration)
Preconditions
Steps
Expected Result
FILECACHE_UNSERIALIZE_TRIGGERED.Interpretation
This reproduces the same unsafe primitive used by
FileCache::doGet():unserialize($value, ['allowed_classes' => true]).If cache files are attacker-tampered, object magic methods may execute.
Exploit Preconditions
Recommendation
Maintainer note — fix applied (2026-04-24)
Fixed in Grav core on the
2.0branch: commitc66dfeb5f— will ship in 2.0.0-beta.2.What changed:
Framework\Cache\Adapter\FileCachenow HMAC-signs every cache payload withSecurity::getNonceKey()on write, and verifies the HMAC on read. Tampered, forged, or pre-upgrade files are treated as cache misses and unlinked instead of being unserialized. The on-disk format is now versioned:Existing caches rebuild transparently on first read. Note that
Framework\Cache\Adapter\FileCacheisn't wired into Grav's main cache path — Symfony'sFilesystemAdapteris — but the class is reachable by plugin and downstream consumers, so the hardening applies defensively.Files:
system/src/Grav/Framework/Cache/Adapter/FileCache.php.tests/unit/Grav/Common/Security/FileCacheSecurityTest.php— round-trip, tampered-payload rejection, wrong-key forgery rejection, pre-v2 file rebuild, key-field mismatch.References