CVE-2025-30207

Name of the Vulnerable Software and Affected Versions: Kirby versions prior to 3.9.8.3 Kirby versions prior to 3.10.1.2 Kirby versions prior to 4.7.1

Description: A vulnerability in Kirby affects setups that use PHP's built-in server, commonly used during local development. This issue allows attackers to navigate all files on the server accessible to the PHP process, including files outside of the Kirby installation, due to a missing path traversal check. The vulnerable implementation delegates existing files to PHP, including files outside of the document root, leading to different responses that allow attackers to determine whether the requested file exists. However, the contents of the files were not exposed as PHP treats requests to files outside of the document root as invalid.

Recommendations: For versions prior to 3.9.8.3, update to Kirby 3.9.8.3 or later. For versions prior to 3.10.1.2, update to Kirby 3.10.1.2 or later. For versions prior to 4.7.1, update to Kirby 4.7.1 or later.