CVE-2025-34120 is a critical security vulnerability identified in LimeSurvey, an open-source online survey application developed by LimeSurvey GmbH. This vulnerability affects LimeSurvey versions from 2.0 up to and including 2.06+ Build 151014. The flaw is a path traversal vulnerability (CWE-22) combined with improper access control (CWE-306) that allows unauthenticated attackers to download arbitrary files from the host system. Specifically, the vulnerability exists in the admin backup endpoint (`index.php/admin/update/sa/backup`), where the application fails to properly validate serialized input passed via the `datasupdateinfo` parameter. An attacker can craft this payload to specify arbitrary file paths, which the application then packages into a ZIP archive and makes available for download without requiring any authentication or user interaction. This means that an attacker can remotely and anonymously access sensitive files on the server, including operating system files, configuration files, and potentially sensitive application data. The vulnerability has a CVSS 4.0 base score of 8.7 (high severity), reflecting its ease of exploitation (network vector, no authentication, no user interaction) and the high impact on confidentiality due to unauthorized file disclosure. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a significant risk for LimeSurvey deployments. The lack of authentication and the direct exposure of sensitive files could lead to further attacks such as credential theft, privilege escalation, or lateral movement within compromised environments.

For European organizations using LimeSurvey versions 2.0 through 2.06+ Build 151014, this vulnerability poses a substantial risk to the confidentiality of sensitive data. Many public sector, academic, and private organizations in Europe rely on LimeSurvey for collecting survey data, which may include personal data protected under GDPR. Exploitation could lead to unauthorized disclosure of personal data, internal configuration files, and system information, potentially resulting in data breaches and regulatory penalties. Furthermore, exposure of system files could facilitate subsequent attacks, including privilege escalation or deployment of malware. The unauthenticated nature of the vulnerability means attackers can exploit it remotely without prior access, increasing the risk of widespread scanning and exploitation attempts. Given the high severity and ease of exploitation, organizations face risks not only to data confidentiality but also to operational integrity if attackers leverage disclosed information to compromise systems further.

European organizations should immediately assess their LimeSurvey installations to determine if they are running affected versions (2.0 up to 2.06+ Build 151014). Since no official patches are currently linked, organizations should consider the following mitigations: 1) Restrict access to the LimeSurvey admin backup endpoint via network-level controls such as firewalls or web application firewalls (WAFs) to allow only trusted IP addresses or VPN users. 2) Implement strict input validation and sanitization at the application or proxy level to detect and block path traversal patterns in requests targeting the backup endpoint. 3) Monitor web server logs for suspicious requests containing unusual `datasupdateinfo` parameters or attempts to access sensitive files. 4) If feasible, upgrade to a newer, patched version of LimeSurvey once available or apply vendor-provided patches promptly. 5) Employ file system permissions to limit the web server's read access to only necessary directories, reducing the impact of arbitrary file reads. 6) Conduct regular security audits and penetration testing focused on web application endpoints to detect similar vulnerabilities. These targeted mitigations go beyond generic advice by focusing on access restriction, input filtering, and monitoring specific to the vulnerability's exploitation vector.