Platform
php
Component
getkirby/cms
Fixed in
3.9.9
3.10.1
4.0.1
3.9.8.3
CVE-2025-30207 is a Path Traversal vulnerability affecting the getkirby/cms content management system. This vulnerability allows an attacker to potentially access sensitive files on the server by manipulating file paths. It specifically impacts installations utilizing PHP's built-in web server, commonly used during local development, and does not affect deployments using Apache, nginx, or Caddy. The vulnerability is fixed in version 3.9.8.3.
The primary impact of CVE-2025-30207 lies in the potential for unauthorized file access. An attacker exploiting this vulnerability could read arbitrary files from the server's file system, potentially exposing sensitive configuration data, source code, or other confidential information. While the vulnerability is limited to environments using PHP's built-in web server, these environments are frequently used for development and testing, where sensitive information might be present. Successful exploitation could lead to information disclosure and potentially compromise the integrity of the development environment. The blast radius is contained to the server hosting the vulnerable getkirby/cms installation and only affects those using the PHP built-in server.
CVE-2025-30207 was publicly disclosed on May 13, 2025. The vulnerability's low CVSS score (2.5) suggests a relatively low probability of exploitation. There are currently no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.59% (69% percentile)
CISA SSVC
The primary mitigation for CVE-2025-30207 is to upgrade getkirby/cms to version 3.9.8.3 or later. If upgrading is not immediately feasible, the most effective workaround is to disable the use of PHP's built-in web server in production environments. This can be achieved by configuring the system to use a production-grade web server such as Apache or nginx. Additionally, restrict access to the router.php file if it is accessible from the outside. There are no specific Sigma or YARA rules applicable to this vulnerability as it relies on path traversal within the application's file structure.
Update Kirby to version 3.9.8.3, 3.10.1.2 or 4.7.1, or a later version. This fixes the path traversal vulnerability in the router when using PHP's built-in server. If you cannot update immediately, avoid using PHP's built-in server in production environments.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30207 is a Path Traversal vulnerability affecting getkirby/cms versions up to 3.9.8.2 when using PHP's built-in web server, allowing attackers to potentially access sensitive files.
You are affected if you are using getkirby/cms version 3.9.8.2 or earlier and are using PHP's built-in web server in your environment. Sites using Apache, nginx, or Caddy are not affected.
Upgrade getkirby/cms to version 3.9.8.3 or later. Alternatively, disable PHP's built-in web server in production environments.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-30207.
Refer to the official getkirby/cms security advisory on their website or GitHub repository for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.