ghsa-9p3p-w5jf-8xxg
Vulnerability from github
Published
2025-05-13 20:02
Modified
2025-05-13 20:02
Severity ?
2.3 (Low) - CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Summary
Kirby vulnerable to path traversal in the router for PHP's built-in server
Details

TL;DR

This vulnerability affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development.

Sites that use other server software (such as Apache, nginx or Caddy) are not affected.

Introduction

For use with PHP's built-in web server, Kirby provides a router.php file. The router delegates requests to static files to PHP so that assets and other static files in the document root can be accessed by the browser.

This logic was vulnerable against path traversal attacks. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location.

Impact

The missing path traversal check allowed attackers to navigate all files on the server that were accessible to the PHP process, including files outside of the Kirby installation.

The vulnerable implementation delegated all existing files to PHP, including existing files outside of the document root. This leads to a different response that allows attackers to determine whether the requested file exists.

Because Kirby's router only delegates such requests to PHP and does not load or execute them, contents of the files were not exposed as PHP treats requests to files outside of the document root as invalid.

Patches

The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2 and Kirby 4.7.1. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have updated the router to check if existing static files are within the document root. Requests to files outside the document root are treated as page requests of the error page and will no longer allow to determine whether the file exists or not.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "3.10.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-13T20:02:20Z",
    "nvd_published_at": "2025-05-13T16:15:29Z",
    "severity": "LOW"
  },
  "details": "### TL;DR\n\nThis vulnerability affects all Kirby setups that use PHP\u0027s built-in server. Such setups are commonly only used during local development.\n\nSites that use other server software (such as Apache, nginx or Caddy) are *not* affected.\n\n----\n\n### Introduction\n\nFor use with PHP\u0027s built-in web server, Kirby provides a `router.php` file. The router delegates requests to static files to PHP so that assets and other static files in the document root can be accessed by the browser.\n\nThis logic was vulnerable against path traversal attacks. By using special elements such as `..` and `/` separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the `../` sequence, which in most modern operating systems is interpreted as the parent directory of the current location.\n\n### Impact\n\nThe missing path traversal check allowed attackers to navigate all files on the server that were accessible to the PHP process, including files outside of the Kirby installation.\n\nThe vulnerable implementation delegated all existing files to PHP, including existing files outside of the document root. This leads to a different response that allows attackers to determine whether the requested file exists.\n\nBecause Kirby\u0027s router only delegates such requests to PHP and does not load or execute them, contents of the files were not exposed as PHP treats requests to files outside of the document root as invalid.\n\n### Patches\n\nThe problem has been patched in [Kirby 3.9.8.3](https://github.com/getkirby/kirby/releases/tag/3.9.8.3), [Kirby 3.10.1.2](https://github.com/getkirby/kirby/releases/tag/3.10.1.2) and [Kirby 4.7.1](https://github.com/getkirby/kirby/releases/tag/4.7.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have updated the router to check if existing static files are within the document root. Requests to files outside the document root are treated as page requests of the error page and will no longer allow to determine whether the file exists or not.",
  "id": "GHSA-9p3p-w5jf-8xxg",
  "modified": "2025-05-13T20:02:20Z",
  "published": "2025-05-13T20:02:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-9p3p-w5jf-8xxg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30207"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/commit/3ebc9ad3f5adcbd4838ce60219f1c9a561231235"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getkirby/kirby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/4.7.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kirby vulnerable to path traversal in the router for PHP\u0027s built-in server"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.