CVE-2025-34120 is a critical path traversal vulnerability affecting LimeSurvey versions from 2.0 up to and including 2.06+ Build 151014. LimeSurvey is an open-source survey application widely used for creating and managing online surveys. The vulnerability exists in the admin backup endpoint located at `index.php/admin/update/sa/backup`. Specifically, the application fails to properly validate serialized input passed via the `datasupdateinfo` parameter. This flaw allows an unauthenticated attacker to craft a malicious payload that specifies arbitrary file paths on the host system. When exploited, the server packages the specified files into a ZIP archive and makes it available for download without requiring any authentication or user interaction. This means an attacker can read arbitrary files on the server, including sensitive operating system files, configuration files, and potentially credentials or other confidential data. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-306 (Missing Authentication for Critical Function). The CVSS v4.0 base score is 8.7 (high severity), reflecting the vulnerability's ease of exploitation (network vector, no privileges or user interaction needed) and its impact on confidentiality (high). No known exploits are currently reported in the wild, but the lack of authentication and the ability to access arbitrary files make this a significant risk if weaponized. The absence of patches at the time of publication further increases the urgency for mitigation.

For European organizations using LimeSurvey, this vulnerability poses a substantial risk to confidentiality and data integrity. Attackers can exfiltrate sensitive files such as system configuration, user data, database credentials, or survey data stored on the server. This could lead to unauthorized disclosure of personal data, violating GDPR requirements and resulting in regulatory penalties. Additionally, access to configuration files might enable further compromise or lateral movement within the network. Since LimeSurvey is often used by academic institutions, government agencies, and private enterprises across Europe, the exposure of sensitive survey data or internal documents could damage reputation and trust. The unauthenticated nature of the exploit means attackers can target vulnerable servers remotely without prior access, increasing the attack surface. The impact on availability is limited but could arise if attackers delete or corrupt files after exfiltration. Overall, the vulnerability threatens confidentiality primarily, with potential secondary impacts on integrity and availability.

European organizations should immediately audit their LimeSurvey installations to identify affected versions (2.0 up to 2.06+ Build 151014). Until an official patch is released, the following mitigations are recommended: 1) Restrict access to the admin backup endpoint via network-level controls such as IP whitelisting or VPN access to limit exposure to trusted administrators only. 2) Implement web application firewall (WAF) rules to detect and block suspicious requests containing path traversal patterns or serialized payloads targeting the `datasupdateinfo` parameter. 3) Disable or restrict the backup functionality if not essential, or move it behind strong authentication and multi-factor authentication mechanisms. 4) Monitor server logs for unusual download activity or access to sensitive files. 5) Segregate LimeSurvey servers from critical infrastructure to limit lateral movement in case of compromise. 6) Prepare to apply patches promptly once available from LimeSurvey GmbH. 7) Conduct a thorough review of file permissions on the server to minimize exposure of sensitive files to the web application user context.