CVE-2025-34120 is a path traversal vulnerability classified under CWE-22 and CWE-306 affecting LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The vulnerability arises from improper validation of serialized input submitted to the admin backup endpoint (`index.php/admin/update/sa/backup`). Specifically, the parameter `datasupdateinfo` can be manipulated by an unauthenticated attacker to specify arbitrary file paths on the server. The application then packages these files into a ZIP archive and makes it available for download without requiring any authentication or user interaction. This flaw allows attackers to read arbitrary files on the host system, including sensitive operating system files and configuration data, potentially exposing credentials, system configurations, or other confidential information. The CVSS v4.0 score is 8.7 (high), reflecting the network attack vector, no required privileges or user interaction, and a high impact on confidentiality. The vulnerability does not affect integrity or availability directly but can facilitate further attacks if sensitive data is disclosed. No patches or exploit code are currently publicly available, but the vulnerability is officially published and should be addressed promptly. The root cause is insufficient input sanitization and lack of access control on a critical administrative endpoint, highlighting the need for secure coding practices and endpoint protection in web applications.

For European organizations, the impact of CVE-2025-34120 can be severe due to the potential exposure of sensitive files such as configuration files, database credentials, and system information. This exposure can lead to unauthorized access to internal systems, data breaches, and lateral movement within networks. Organizations using LimeSurvey for sensitive surveys or data collection risk compromising respondent data and internal operational details. The unauthenticated nature of the vulnerability means attackers can exploit it remotely without prior access, increasing the attack surface. Additionally, the ability to download arbitrary files can facilitate reconnaissance and preparation for more sophisticated attacks. Given LimeSurvey's popularity in academic, governmental, and commercial sectors across Europe, the confidentiality breach could undermine trust and lead to regulatory penalties under GDPR if personal data is exposed. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency of remediation.

1. Upgrade LimeSurvey to the latest version where this vulnerability is patched. If an official patch is not yet available, consider temporarily disabling or restricting access to the admin backup endpoint (`index.php/admin/update/sa/backup`). 2. Implement strict input validation and sanitization on all parameters, especially those accepting serialized data, to prevent path traversal payloads. 3. Enforce strong access controls and authentication mechanisms on administrative endpoints to prevent unauthenticated access. 4. Use web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the backup endpoint. 5. Conduct regular security audits and code reviews focusing on serialization handling and file access functions. 6. Monitor server logs for unusual access patterns or attempts to download sensitive files. 7. Educate administrators about the risks of exposing backup functionality without proper security controls. 8. Isolate LimeSurvey instances in segmented network zones to limit potential lateral movement if compromised.