CVE-2025-30159: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in getkirby kirby
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request or user data). Sites that only use fixed calls to the `snippet()` helper/`$kirby->snippet()` method (i.e. calls with a simple string for the snippet name) are *not* affected. A missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the snippets root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by dynamic snippet names, such as `snippet('tags-' . get('tags'))`. It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing. In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, Kirby maintainers have added a check for the snippet path that ensures that the resulting path is contained within the configured snippets root. Snippet paths that point outside of the snippets root will not be loaded.
AI Analysis
Technical Summary
CVE-2025-30159 is a path traversal vulnerability affecting the Kirby open-source content management system (CMS) in versions prior to 3.9.8.3, between 3.10.0 and 3.10.1.2, and between 4.0.0 and 4.7.1. The vulnerability arises from improper validation of dynamic snippet names passed to the `snippet()` helper or `$kirby->snippet()` method. When these snippet names are constructed dynamically based on user input or request parameters without proper sanitization, an attacker can manipulate the snippet path to traverse directories outside the intended snippets root. This allows unauthorized access to arbitrary files on the server that the PHP process can read, including files outside the Kirby installation directory. Furthermore, if the accessed files contain PHP code, this code can be executed, leading to potential remote code execution. Exploitation requires the presence of dynamic snippet calls in the site code (e.g., `snippet('tags-' . get('tags'))`), knowledge or discovery of the server’s file system structure, and no authentication or user interaction is needed. The vulnerability has been addressed in Kirby versions 3.9.8.3, 3.10.1.2, and 4.7.1 by implementing strict path validation to ensure snippet paths remain within the configured snippets root directory. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network exploitability without privileges or user interaction, with limited impact on confidentiality and integrity and no impact on availability. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using vulnerable versions of Kirby CMS with dynamic snippet calls, this vulnerability poses a significant risk to server confidentiality and integrity. Attackers could access sensitive configuration files, source code, or other protected data, potentially leading to data breaches or intellectual property theft. Execution of arbitrary PHP code could allow attackers to escalate privileges, implant backdoors, or pivot within the network, increasing the risk of broader compromise. Organizations relying on Kirby for public-facing websites or internal portals may face reputational damage, regulatory penalties under GDPR if personal data is exposed, and operational disruptions. The lack of required authentication or user interaction lowers the barrier for exploitation, increasing the threat level. However, the requirement for dynamic snippet usage and some knowledge of the server environment somewhat limits the attack surface. Still, automated scanning or fuzzing could identify vulnerable setups, making widespread exploitation feasible if patches are not applied promptly.
Mitigation Recommendations
European organizations should immediately audit their Kirby CMS installations to identify versions prior to 3.9.8.3, between 3.10.0 and 3.10.1.2, and between 4.0.0 and 4.7.1. They must upgrade to the patched versions (3.9.8.3, 3.10.1.2, or 4.7.1) without delay. Additionally, developers should review all uses of the `snippet()` helper or `$kirby->snippet()` method to eliminate dynamic snippet names derived from user input or untrusted sources. Where dynamic snippets are necessary, implement rigorous input validation and sanitization to prevent path traversal characters or sequences. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests attempting directory traversal patterns targeting snippet parameters. Conduct regular code reviews and penetration testing focusing on dynamic file inclusion points. Restrict PHP process permissions to the minimum necessary, limiting file system access to reduce potential damage from exploitation. Finally, monitor logs for anomalous access patterns or errors related to snippet loading to detect attempted exploitation attempts early.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Austria
CVE-2025-30159: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in getkirby kirby
Description
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request or user data). Sites that only use fixed calls to the `snippet()` helper/`$kirby->snippet()` method (i.e. calls with a simple string for the snippet name) are *not* affected. A missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the snippets root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by dynamic snippet names, such as `snippet('tags-' . get('tags'))`. It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing. In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, Kirby maintainers have added a check for the snippet path that ensures that the resulting path is contained within the configured snippets root. Snippet paths that point outside of the snippets root will not be loaded.
AI-Powered Analysis
Technical Analysis
CVE-2025-30159 is a path traversal vulnerability affecting the Kirby open-source content management system (CMS) in versions prior to 3.9.8.3, between 3.10.0 and 3.10.1.2, and between 4.0.0 and 4.7.1. The vulnerability arises from improper validation of dynamic snippet names passed to the `snippet()` helper or `$kirby->snippet()` method. When these snippet names are constructed dynamically based on user input or request parameters without proper sanitization, an attacker can manipulate the snippet path to traverse directories outside the intended snippets root. This allows unauthorized access to arbitrary files on the server that the PHP process can read, including files outside the Kirby installation directory. Furthermore, if the accessed files contain PHP code, this code can be executed, leading to potential remote code execution. Exploitation requires the presence of dynamic snippet calls in the site code (e.g., `snippet('tags-' . get('tags'))`), knowledge or discovery of the server’s file system structure, and no authentication or user interaction is needed. The vulnerability has been addressed in Kirby versions 3.9.8.3, 3.10.1.2, and 4.7.1 by implementing strict path validation to ensure snippet paths remain within the configured snippets root directory. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network exploitability without privileges or user interaction, with limited impact on confidentiality and integrity and no impact on availability. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using vulnerable versions of Kirby CMS with dynamic snippet calls, this vulnerability poses a significant risk to server confidentiality and integrity. Attackers could access sensitive configuration files, source code, or other protected data, potentially leading to data breaches or intellectual property theft. Execution of arbitrary PHP code could allow attackers to escalate privileges, implant backdoors, or pivot within the network, increasing the risk of broader compromise. Organizations relying on Kirby for public-facing websites or internal portals may face reputational damage, regulatory penalties under GDPR if personal data is exposed, and operational disruptions. The lack of required authentication or user interaction lowers the barrier for exploitation, increasing the threat level. However, the requirement for dynamic snippet usage and some knowledge of the server environment somewhat limits the attack surface. Still, automated scanning or fuzzing could identify vulnerable setups, making widespread exploitation feasible if patches are not applied promptly.
Mitigation Recommendations
European organizations should immediately audit their Kirby CMS installations to identify versions prior to 3.9.8.3, between 3.10.0 and 3.10.1.2, and between 4.0.0 and 4.7.1. They must upgrade to the patched versions (3.9.8.3, 3.10.1.2, or 4.7.1) without delay. Additionally, developers should review all uses of the `snippet()` helper or `$kirby->snippet()` method to eliminate dynamic snippet names derived from user input or untrusted sources. Where dynamic snippets are necessary, implement rigorous input validation and sanitization to prevent path traversal characters or sequences. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests attempting directory traversal patterns targeting snippet parameters. Conduct regular code reviews and penetration testing focusing on dynamic file inclusion points. Restrict PHP process permissions to the minimum necessary, limiting file system access to reduce potential damage from exploitation. Finally, monitor logs for anomalous access patterns or errors related to snippet loading to detect attempted exploitation attempts early.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-03-17T12:41:42.566Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682cd0fc1484d88663aecc24
Added to database: 5/20/2025, 6:59:08 PM
Last enriched: 7/6/2025, 5:55:11 PM
Last updated: 8/15/2025, 12:24:37 PM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.