Login Sign Up

CVE-2025-30159

9.1 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

This is a path traversal vulnerability in Kirby CMS that allows attackers to read and execute arbitrary files on the server when dynamic snippet names are used. It affects Kirby sites using the snippet() helper with user-controlled input. Only sites with fixed snippet names are safe.

💻 Affected Systems

Products:
  • Kirby CMS
Versions: All versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using dynamic snippet names with user-controlled input like snippet('tags-' . get('tags'))

📦 What is this software?

Kirby by Getkirby

View all CVEs affecting Kirby →

Kirby by Getkirby

View all CVEs affecting Kirby →

Kirby by Getkirby

View all CVEs affecting Kirby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise including remote code execution, data exfiltration, and system takeover

🟠

Likely Case

Sensitive file disclosure (config files, credentials, source code) leading to further exploitation

🟢

If Mitigated

Limited impact with proper input validation and file system permissions

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Requires knowledge of site structure but can be discovered through fuzzing

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.8.3, 3.10.1.2, or 4.7.1 depending on your version

Vendor Advisory: https://github.com/getkirby/kirby/security/advisories/GHSA-fw82-87p8-v6hp

Restart Required: No

Instructions:

1. Identify your Kirby version. 2. Upgrade to 3.9.8.3 if on 3.9.x, 3.10.1.2 if on 3.10.x, or 4.7.1 if on 4.x. 3. Test functionality after upgrade.

🔧 Temporary Workarounds

Disable dynamic snippet calls

all

Replace all dynamic snippet() calls with fixed string values

Input validation wrapper

all

Create a wrapper function that validates snippet names before passing to snippet()

🧯 If You Can't Patch

  • Review all snippet() calls and ensure no user input reaches the function
  • Implement strict file system permissions to limit PHP process access

🔍 How to Verify

Check if Vulnerable:

Check if your Kirby version is below 3.9.8.3, 3.10.1.2, or 4.7.1 and search codebase for dynamic snippet() calls

Check Version:

Check Kirby version in composer.json or via phpinfo()

Verify Fix Applied:

Verify version is 3.9.8.3+, 3.10.1.2+, or 4.7.1+ and test snippet functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns in PHP logs
  • Multiple failed snippet load attempts with path traversal patterns

Network Indicators:

  • HTTP requests with suspicious snippet parameters containing ../ patterns

SIEM Query:

web_access_logs WHERE uri CONTAINS 'snippet' AND (uri CONTAINS '../' OR uri CONTAINS '..\\')

📊 Metadata

CVE ID: CVE-2025-30159
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-22
EPSS Score: 0.28% exploit probability (51.4th percentile)
Published: May 13, 2025
Last Updated: August 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30159, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)