Path Traversal Vulnerability in Kirby CMS Affects Local Development Setups
CVE-2025-30207

2.3LOW

Key Information:

Vendor

Getkirby

Status
Kirby
Vendor
CVE Published:
13 May 2025

What is CVE-2025-30207?

A path traversal vulnerability exists in Kirby CMS versions before 3.9.8.3, 3.10.1.2, and 4.7.1, affecting setups using PHP's built-in server, typically used during local development. Attackers can exploit this flaw to navigate files accessible to the PHP process, including those outside the installation directory. Although the contents of these files are not exposed by PHP, the vulnerability allows for detection of the existence of these files. The issue has been mitigated in the latest versions, where the router now checks the document root to prevent unauthorized access beyond it, returning an error page for requests outside the valid scope.

Affected Version(s)

kirby < 3.9.8.3 < 3.9.8.3

kirby >= 3.10.0, < 3.10.1.2 < 3.10.0, 3.10.1.2

kirby >= 4.0.0, < 4.7.1 < 4.0.0, 4.7.1

References

https://github.com/getkirby/kirby/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/getkirby/kirby/releases/tag/3.10.1.2
x_refsource_MISC
https://github.com/getkirby/kirby/releases/tag/3.9.8.3
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.