CVE-2025-30207 is a path traversal vulnerability identified in the Kirby content management system (CMS), specifically affecting versions prior to 3.9.8.3, between 3.10.0 and 3.10.1.2, and between 4.0.0 and 4.7.1. Kirby is an open-source CMS primarily used for website content management. The vulnerability arises in setups where Kirby is run using PHP's built-in web server, which is typically used only during local development environments rather than production. The root cause is a missing validation check in Kirby's router component that allowed attackers to perform path traversal attacks by requesting files outside the intended document root directory. This flaw permitted attackers to probe the server filesystem accessible to the PHP process and determine the existence of arbitrary files outside the Kirby installation directory. However, because the PHP built-in server treats requests to files outside the document root as invalid and Kirby’s router only delegates such requests without executing them, the contents of these files were not disclosed, limiting the impact to information disclosure about file existence only. The vulnerability does not affect Kirby installations running on other common web servers such as Apache, nginx, or Caddy. The issue was addressed in Kirby versions 3.9.8.3, 3.10.1.2, and 4.7.1 by adding strict checks in the router to ensure that only files within the document root are served, and any requests for files outside this root are handled as error page requests, preventing attackers from confirming file existence. The CVSS 4.0 base score is 2.3, indicating a low severity vulnerability, with an attack vector requiring adjacent network access, no privileges or user interaction, and limited scope and impact.

For European organizations, the direct impact of this vulnerability is limited due to its low severity and the specific conditions required for exploitation. Since the vulnerability only affects Kirby CMS instances running on PHP's built-in server, which is predominantly used for local development rather than production, the risk to live, internet-facing systems is minimal. The vulnerability allows attackers to confirm the existence of files on the server accessible to PHP, which could aid in reconnaissance activities during an attack chain but does not expose file contents or allow code execution. Consequently, confidentiality, integrity, and availability impacts are negligible. However, organizations that use Kirby CMS for development or staging environments on local or internal networks could be at some risk if these environments are accessible to attackers, such as through misconfigured VPNs or internal network exposure. Attackers could leverage this information to map the filesystem and identify sensitive files or configuration files, potentially facilitating further targeted attacks. Overall, the threat is low but should not be ignored in secure development lifecycle practices.

European organizations using Kirby CMS should ensure that all instances are updated to the patched versions: 3.9.8.3, 3.10.1.2, or 4.7.1 or later. Beyond applying patches, organizations should avoid using PHP’s built-in server for anything other than isolated local development environments that are not accessible externally. Development environments should be segregated from production and protected by network access controls such as firewalls or VPNs to prevent unauthorized access. Additionally, organizations should implement strict access controls on development machines and internal networks to limit exposure. Monitoring and logging access to development servers can help detect suspicious activity. For environments where PHP’s built-in server must be used, consider additional web server-level access restrictions or sandboxing to prevent unauthorized file system access. Regular security reviews of development and staging environments should be conducted to ensure no inadvertent exposure. Finally, educating developers and IT staff about the risks of using PHP’s built-in server in accessible environments will help reduce the attack surface.