CVE-2025-60790 is a denial-of-service vulnerability affecting ProcessWire CMS version 3.0.246. The vulnerability arises because the CMS allows users with the 'lang-edit' permission to upload ZIP archives to the Language Support module. Upon upload, the system automatically extracts the ZIP file contents without enforcing any limits on size, number of files, or extraction depth before validating the contents. This lack of validation and limitation enables an attacker to craft a malicious ZIP archive designed to exhaust server resources such as CPU, memory, or disk space. The resource exhaustion can cause the CMS or the underlying server to become unresponsive, resulting in a denial-of-service condition. The vulnerability requires only low-level privileges (lang-edit), which may be granted to translators or content editors, thus broadening the potential attacker base. No authentication bypass or privilege escalation is involved, but the flaw exploits insufficient input validation and resource management during file extraction. There are no known public exploits or patches available at the time of publication, and the CVSS score has not been assigned. The vulnerability is primarily a DoS vector rather than a data breach or code execution risk. However, the impact on availability can be significant for organizations relying on ProcessWire CMS for multilingual content delivery.

For European organizations, the primary impact of CVE-2025-60790 is the potential disruption of web services hosted on ProcessWire CMS, particularly those utilizing multilingual support features. A successful exploitation can lead to denial of service, causing website downtime, degraded user experience, and potential loss of revenue or reputation. Public sector websites, e-commerce platforms, and media outlets using ProcessWire CMS for language management are especially vulnerable. The attack requires only low-level user permissions, which may be more commonly assigned in collaborative environments, increasing the risk of insider threats or compromised accounts being leveraged. While no data confidentiality or integrity issues are directly implicated, the availability impact can affect business continuity and service level agreements. Additionally, recovery from resource exhaustion may require manual intervention or server restarts, increasing operational costs. The absence of known exploits reduces immediate risk, but the vulnerability's presence in a widely used CMS component means that threat actors may develop exploits in the future, necessitating proactive mitigation.

To mitigate CVE-2025-60790, organizations should implement the following specific measures: 1) Restrict 'lang-edit' permissions to trusted users only and regularly audit these permissions to minimize the attack surface. 2) Implement server-side limits on ZIP extraction processes, including maximum file size, maximum number of extracted files, and maximum extraction depth, to prevent resource exhaustion. 3) Introduce validation checks before extraction to verify the integrity and expected structure of uploaded ZIP files. 4) Monitor server resource usage closely during file upload and extraction operations to detect abnormal spikes indicative of exploitation attempts. 5) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious ZIP uploads targeting the Language Support feature. 6) Keep ProcessWire CMS installations updated and monitor vendor advisories for patches addressing this vulnerability. 7) Consider isolating the Language Support upload functionality in a sandboxed environment to limit the impact of potential resource exhaustion. 8) Educate users with 'lang-edit' permissions about secure file handling and potential risks associated with ZIP uploads. These targeted actions go beyond generic advice and address the root cause and exploitation vector of the vulnerability.