CVE-2025-30878 is a path traversal vulnerability identified in the JS Help Desk plugin developed by JoomSky, specifically affecting versions up to and including 2.9.2. The vulnerability arises from improper limitation of pathname inputs within the js-support-ticket component, allowing an attacker to craft malicious requests that traverse directories beyond the intended restricted folder. This can enable unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or other protected data. The vulnerability does not require authentication but does require interaction with the vulnerable component, implying some level of user input or request submission. Although no known exploits have been reported in the wild, the flaw represents a significant risk due to the common use of JS Help Desk in Joomla-based environments. No official patch links have been published yet, and no CVSS score is assigned, indicating the need for immediate attention from administrators. The vulnerability was reserved on March 26, 2025, and published on April 1, 2025, by Patchstack. The absence of CWE classification suggests the need for further technical analysis, but the core issue is a classic path traversal attack vector.

The primary impact of CVE-2025-30878 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Attackers exploiting this vulnerability can access files outside the intended directory scope, potentially retrieving configuration files, database credentials, or other sensitive data that could facilitate further compromise. This undermines confidentiality and may indirectly affect integrity if attackers leverage obtained information for privilege escalation or code execution. Availability impact is minimal unless combined with other vulnerabilities. Organizations relying on JS Help Desk for customer support risk data breaches, loss of customer trust, and compliance violations. The vulnerability's ease of exploitation without authentication increases the threat level, especially for publicly accessible help desk portals. The lack of known exploits provides a window for proactive mitigation but also means attackers may develop exploits rapidly once details are public.

Administrators should immediately verify their JS Help Desk plugin version and upgrade to a patched version once available from JoomSky. In the absence of an official patch, implement strict input validation and sanitization on pathname parameters within the js-support-ticket component to prevent directory traversal sequences such as '../'. Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting the plugin endpoints. Restrict file system permissions for the web server user to limit access to sensitive directories and files, minimizing the impact of potential exploitation. Monitor logs for suspicious requests containing traversal patterns and unusual file access. Consider temporarily disabling the vulnerable component if feasible until a patch is released. Regularly review and update Joomla and its extensions to maintain security hygiene.