Login Sign Up

CVE-2025-31493

9.1 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

This is a path traversal vulnerability in Kirby CMS that allows attackers to access and execute arbitrary files on the server when dynamic collection names are used. It affects Kirby sites using the collection() helper with user-controlled input. Only sites with fixed collection names are safe.

💻 Affected Systems

Products:
  • Kirby CMS
Versions: All versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using dynamic collection names with user input. Fixed collection names are not affected.

📦 What is this software?

Kirby by Getkirby

View all CVEs affecting Kirby →

Kirby by Getkirby

View all CVEs affecting Kirby →

Kirby by Getkirby

View all CVEs affecting Kirby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise including arbitrary code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized file access leading to sensitive data exposure, configuration file reading, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and file system permissions restricting PHP process access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires knowledge of site structure and file system, but automated fuzzing can identify vulnerable setups.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.8.3, 3.10.1.2, or 4.7.1 depending on your version

Vendor Advisory: https://github.com/getkirby/kirby/security/advisories/GHSA-x275-h9j4-7p4h

Restart Required: No

Instructions:

1. Identify your Kirby version. 2. Upgrade to the patched version matching your major release: 3.9.x → 3.9.8.3, 3.10.x → 3.10.1.2, 4.x → 4.7.1. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable dynamic collection usage

all

Replace all dynamic collection() calls with fixed strings or implement strict input validation

Restrict PHP process permissions

all

Configure web server to run PHP with minimal file system access

🧯 If You Can't Patch

  • Audit all collection() calls and ensure no user input reaches the collection name parameter
  • Implement web application firewall rules to detect path traversal attempts

🔍 How to Verify

Check if Vulnerable:

Review code for collection() or $kirby->collection() calls using dynamic parameters like user input, request data, or variables

Check Version:

Check Kirby version in panel or via PHP: echo Kirby::version();

Verify Fix Applied:

Check Kirby version is 3.9.8.3, 3.10.1.2, or 4.7.1 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns in web server logs
  • Failed path traversal attempts
  • Access to files outside collections directory

Network Indicators:

  • HTTP requests with suspicious path patterns in collection parameters

SIEM Query:

web.url:*collection* AND (web.url:*../* OR web.url:*..\*)

📊 Metadata

CVE ID: CVE-2025-31493
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-22
EPSS Score: 0.2% exploit probability (41.5th percentile)
Published: May 13, 2025
Last Updated: August 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31493, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)