CVE-2025-31493: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in getkirby kirby
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends on request or user data). Sites that only use fixed calls to the `collection()` helper/`$kirby->collection()` method (i.e. calls with a simple string for the collection name) are *not* affected. A missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the collections root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by dynamic collection names, such as `collection('tags-' . get('tags'))`. It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing. In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, the maintainers of Kirby have added a check for the collection path that ensures that the resulting path is contained within the configured collections root. Collection paths that point outside of the collections root will not be loaded.
AI Analysis
Technical Summary
CVE-2025-31493 is a path traversal vulnerability affecting the Kirby open-source content management system (CMS) in versions prior to 3.9.8.3, between 3.10.0 and 3.10.1.2, and between 4.0.0 and 4.7.1. The vulnerability arises from improper validation of dynamic collection names passed to the `collection()` helper or the `$kirby->collection()` method. Specifically, when these methods are called with a collection name derived from user input or request data, the lack of path traversal checks allows an attacker to manipulate the collection path to access files outside the intended collections root directory. This can lead to unauthorized reading of arbitrary files accessible to the PHP process, including sensitive configuration files or source code. Moreover, PHP code within these files can be executed, potentially leading to remote code execution or further compromise of the server. Exploitation requires the site code to use dynamic collection names (e.g., `collection('tags-' . get('tags'))`) and some knowledge of the server’s file system structure, although automated fuzzing techniques could identify vulnerable setups. The vulnerability impacts confidentiality and integrity by exposing sensitive data and enabling code execution. The issue has been addressed in Kirby versions 3.9.8.3, 3.10.1.2, and 4.7.1 by implementing strict path checks to ensure collection paths remain within the configured collections root, preventing traversal outside the intended directory. The CVSS 4.0 score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but partial impact on confidentiality and integrity. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using vulnerable versions of Kirby CMS with dynamic collection names, this vulnerability poses a significant risk. Attackers could access sensitive files on web servers, including configuration files, user data, or proprietary source code, leading to data breaches and intellectual property theft. The ability to execute PHP code from accessed files could allow attackers to escalate privileges, deploy web shells, or pivot within the network, potentially compromising broader IT infrastructure. This risk is heightened for organizations hosting critical services or sensitive data on Kirby-powered websites, such as government portals, educational institutions, or e-commerce platforms. The breach of confidentiality and integrity could result in regulatory non-compliance under GDPR, reputational damage, and financial losses. Since exploitation does not require authentication or user interaction, the threat can be exploited remotely and at scale, increasing the urgency for mitigation.
Mitigation Recommendations
1. Immediate upgrade to patched Kirby versions: 3.9.8.3, 3.10.1.2, or 4.7.1, depending on the version in use. 2. Audit all site code for usage of the `collection()` helper or `$kirby->collection()` method, especially calls with dynamic collection names derived from user input or request parameters. Refactor code to use fixed collection names wherever possible. 3. Implement strict input validation and sanitization on any user-controlled data that influences collection names to prevent path traversal characters or sequences. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns targeting Kirby collections. 5. Restrict PHP process file system permissions to the minimum necessary, preventing access to sensitive directories outside the web root. 6. Monitor server logs for unusual file access patterns or errors related to collection paths. 7. Conduct penetration testing or fuzzing on Kirby sites to identify potential exploitation vectors before attackers do. 8. Maintain regular backups and incident response plans in case of compromise.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-31493: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in getkirby kirby
Description
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends on request or user data). Sites that only use fixed calls to the `collection()` helper/`$kirby->collection()` method (i.e. calls with a simple string for the collection name) are *not* affected. A missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the collections root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by dynamic collection names, such as `collection('tags-' . get('tags'))`. It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing. In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, the maintainers of Kirby have added a check for the collection path that ensures that the resulting path is contained within the configured collections root. Collection paths that point outside of the collections root will not be loaded.
AI-Powered Analysis
Technical Analysis
CVE-2025-31493 is a path traversal vulnerability affecting the Kirby open-source content management system (CMS) in versions prior to 3.9.8.3, between 3.10.0 and 3.10.1.2, and between 4.0.0 and 4.7.1. The vulnerability arises from improper validation of dynamic collection names passed to the `collection()` helper or the `$kirby->collection()` method. Specifically, when these methods are called with a collection name derived from user input or request data, the lack of path traversal checks allows an attacker to manipulate the collection path to access files outside the intended collections root directory. This can lead to unauthorized reading of arbitrary files accessible to the PHP process, including sensitive configuration files or source code. Moreover, PHP code within these files can be executed, potentially leading to remote code execution or further compromise of the server. Exploitation requires the site code to use dynamic collection names (e.g., `collection('tags-' . get('tags'))`) and some knowledge of the server’s file system structure, although automated fuzzing techniques could identify vulnerable setups. The vulnerability impacts confidentiality and integrity by exposing sensitive data and enabling code execution. The issue has been addressed in Kirby versions 3.9.8.3, 3.10.1.2, and 4.7.1 by implementing strict path checks to ensure collection paths remain within the configured collections root, preventing traversal outside the intended directory. The CVSS 4.0 score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but partial impact on confidentiality and integrity. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using vulnerable versions of Kirby CMS with dynamic collection names, this vulnerability poses a significant risk. Attackers could access sensitive files on web servers, including configuration files, user data, or proprietary source code, leading to data breaches and intellectual property theft. The ability to execute PHP code from accessed files could allow attackers to escalate privileges, deploy web shells, or pivot within the network, potentially compromising broader IT infrastructure. This risk is heightened for organizations hosting critical services or sensitive data on Kirby-powered websites, such as government portals, educational institutions, or e-commerce platforms. The breach of confidentiality and integrity could result in regulatory non-compliance under GDPR, reputational damage, and financial losses. Since exploitation does not require authentication or user interaction, the threat can be exploited remotely and at scale, increasing the urgency for mitigation.
Mitigation Recommendations
1. Immediate upgrade to patched Kirby versions: 3.9.8.3, 3.10.1.2, or 4.7.1, depending on the version in use. 2. Audit all site code for usage of the `collection()` helper or `$kirby->collection()` method, especially calls with dynamic collection names derived from user input or request parameters. Refactor code to use fixed collection names wherever possible. 3. Implement strict input validation and sanitization on any user-controlled data that influences collection names to prevent path traversal characters or sequences. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns targeting Kirby collections. 5. Restrict PHP process file system permissions to the minimum necessary, preventing access to sensitive directories outside the web root. 6. Monitor server logs for unusual file access patterns or errors related to collection paths. 7. Conduct penetration testing or fuzzing on Kirby sites to identify potential exploitation vectors before attackers do. 8. Maintain regular backups and incident response plans in case of compromise.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-03-28T13:36:51.298Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682cd0fc1484d88663aecc91
Added to database: 5/20/2025, 6:59:08 PM
Last enriched: 7/6/2025, 6:26:05 PM
Last updated: 8/11/2025, 10:48:22 AM
Views: 9
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.