SB20260423150 - Multiple vulnerabilities in Kirby

Description

This security bulletin contains information about 3 vulnerabilities.

1) Relative Path Traversal (CVE-ID: CVE-2025-31493)

CWE-ID: CWE-23 - Relative Path Traversal

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to access arbitrary files and execute unintended PHP code.

The vulnerability exists due to path traversal in the collection() helper and $kirby->collection() method when processing a dynamic collection name during file system lookup. A remote attacker can supply a specially crafted collection name containing traversal sequences to access arbitrary files and execute unintended PHP code.

Only sites that use dynamic collection names derived from request or user data are vulnerable.

2) Relative Path Traversal (CVE-ID: CVE-2025-30207)

CWE-ID: CWE-23 - Relative Path Traversal

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to determine whether files or directories exist outside of the restricted location.

The vulnerability exists due to path traversal in router.php when handling crafted requests for static files using traversal sequences. A remote attacker can send a specially crafted request to determine whether files or directories exist outside of the restricted location.

Only setups that use PHP's built-in server are vulnerable. Sites using other server software such as Apache, nginx, or Caddy are not affected.

3) Relative Path Traversal (CVE-ID: CVE-2025-30159)

CWE-ID: CWE-23 - Relative Path Traversal

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to access arbitrary files and execute unintended PHP code.

The vulnerability exists due to relative path traversal in the snippet() helper and $kirby->snippet() method when processing a dynamic snippet name during file system lookup. A remote attacker can supply a specially crafted snippet name containing traversal sequences to access arbitrary files and execute unintended PHP code.

Only sites that use dynamic snippet names based on request or user data are vulnerable; sites that use only fixed snippet names are not affected.

Remediation

Install update from vendor's website.

References

• https://github.com/getkirby/kirby/security/advisories/GHSA-x275-h9j4-7p4h
• https://github.com/advisories/GHSA-x275-h9j4-7p4h
• https://github.com/getkirby/kirby/security/advisories/GHSA-9p3p-w5jf-8xxg
• https://github.com/advisories/GHSA-9p3p-w5jf-8xxg
• https://github.com/getkirby/kirby/security/advisories/GHSA-fw82-87p8-v6hp