Plattform
php
Komponente
getkirby/cms
Behoben in
3.9.9
3.10.1
4.0.1
3.9.8.3
CVE-2025-30207 is a Path Traversal vulnerability affecting the getkirby/cms content management system. This vulnerability allows an attacker to potentially access sensitive files on the server by manipulating file paths. It specifically impacts installations utilizing PHP's built-in web server, commonly used during local development, and does not affect deployments using Apache, nginx, or Caddy. The vulnerability is fixed in version 3.9.8.3.
This vulnerability arises from improper handling of file paths within the router.php file, which is used by getkirby/cms when utilizing PHP's built-in web server. An attacker can exploit this by crafting malicious requests containing path traversal sequences (e.g., .. and /) to access files outside of the intended document root. This could lead to the exposure of sensitive configuration files, source code, or other critical data stored on the server. While the impact is limited to development environments using PHP's built-in server, it represents a significant risk if such environments contain sensitive information or are used to test production-like configurations.
CVE-2025-30207 was publicly disclosed on 2025-05-13. There are currently no known public proof-of-concept exploits available. The vulnerability's impact is limited to development environments using PHP's built-in web server, reducing the likelihood of widespread exploitation. It is not listed on CISA KEV as of this writing.
Developers and system administrators using getkirby/cms in local development environments with PHP's built-in web server are at the highest risk. Shared hosting environments that default to PHP's built-in server for development purposes are also potentially vulnerable. Those using Kirby CMS for local testing or prototyping are particularly susceptible.
• php: Check for the presence of router.php in the document root and verify that PHP's built-in web server is not enabled in production.
ps aux | grep -i php-fpm• generic web: Examine access logs for unusual file requests containing .. sequences.
grep '../' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.59% (69% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-30207 is to upgrade getkirby/cms to version 3.9.8.3 or later, which contains the fix. If upgrading is not immediately feasible, avoid using PHP's built-in web server in development environments. Instead, deploy the application using a production-grade web server such as Apache, Nginx, or Caddy. Ensure that file permissions are properly configured to restrict access to sensitive files. Consider implementing a Web Application Firewall (WAF) with rules to block requests containing path traversal sequences.
Aktualisieren Sie Kirby auf Version 3.9.8.3, 3.10.1.2 oder 4.7.1 oder eine spätere Version. Dies behebt die Path-Traversal-Schwachstelle im Router, wenn der PHP-eingebaute Server verwendet wird. Wenn Sie nicht sofort aktualisieren können, vermeiden Sie die Verwendung des PHP-eingebauten Servers in Produktionsumgebungen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-30207 is a Path Traversal vulnerability affecting getkirby/cms versions up to 3.9.8.2 when using PHP's built-in web server, allowing attackers to potentially access sensitive files.
You are affected if you are using getkirby/cms version 3.9.8.2 or earlier and are using PHP's built-in web server in your environment. Sites using Apache, nginx, or Caddy are not affected.
Upgrade getkirby/cms to version 3.9.8.3 or later. Alternatively, disable PHP's built-in web server in production environments.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-30207.
Refer to the official getkirby/cms security advisory on their website or GitHub repository for the most up-to-date information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.