CVE-2025-60790 is a vulnerability identified in ProcessWire CMS version 3.0.246 affecting the Language Support module. The flaw arises because the system allows a user with the 'lang-edit' privilege to upload a ZIP archive that is automatically extracted without any imposed limits or prior validation. This unchecked extraction can lead to resource exhaustion, such as CPU, memory, or disk space consumption, resulting in a denial of service (DoS) condition. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The CVSS v3.1 base score is 6.5, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, meaning it is remotely exploitable over the network, requires low privileges, no user interaction, and impacts availability only. The attack surface is limited to users with language editing rights, which may be a subset of authenticated users. No confidentiality or integrity impact is present. No patches or known exploits are currently available, but the vulnerability is publicly disclosed. The auto-extraction process lacking limits on file size, number of files, or extraction depth enables attackers to craft ZIP files that consume excessive server resources, potentially causing service outages or degraded performance. This can disrupt business operations, especially for websites relying on ProcessWire CMS for content management and localization.

For European organizations, the primary impact is on service availability. Organizations using ProcessWire CMS for their websites or intranet portals may experience denial of service if an attacker with low-level privileges uploads malicious ZIP files to the Language Support feature. This can lead to website downtime, loss of user trust, and potential revenue loss, especially for e-commerce or public service portals. Since the vulnerability requires authenticated access with language editing rights, insider threats or compromised accounts pose a significant risk. The lack of confidentiality or integrity impact limits data breach concerns but does not reduce the operational disruption risk. Organizations with multi-tenant or shared hosting environments could see broader impact if resource exhaustion affects other hosted services. Additionally, the absence of patches increases the window of exposure. Given the increasing reliance on CMS platforms in Europe, especially in countries with strong digital economies, the threat could affect critical infrastructure and public sector websites if not mitigated.

1. Immediately restrict 'lang-edit' privileges to only trusted and necessary users to reduce the attack surface. 2. Implement strict file upload controls, including limiting allowed file types, maximum file sizes, and scanning uploaded ZIP files before extraction. 3. Configure server resource limits (CPU, memory, disk quota) for the CMS process to prevent resource exhaustion from impacting the entire system. 4. Monitor logs and system metrics for unusual spikes in resource usage or failed extraction attempts. 5. If possible, disable automatic extraction of ZIP files in the Language Support module until a patch is available. 6. Apply any vendor-released patches or updates as soon as they become available. 7. Employ web application firewalls (WAF) with custom rules to detect and block suspicious ZIP uploads. 8. Conduct regular security audits and penetration testing focusing on file upload functionalities. 9. Educate administrators and users with elevated privileges about the risks of uploading untrusted archives. 10. Consider isolating the CMS environment using containerization or sandboxing to limit the blast radius of potential DoS attacks.