CVE-2025-30159 Overview
CVE-2025-30159 is a path traversal vulnerability affecting Kirby, an open-source content management system. The vulnerability exists in the snippet() helper and $kirby->snippet() method when used with dynamic snippet names that depend on request or user data. A missing path traversal check allows attackers to navigate and access all files on the server accessible to the PHP process, including files outside the snippets root or even outside the Kirby installation. PHP code within such files is executed, potentially compromising both confidentiality and integrity of the server.
Sites that only use fixed calls to the snippet() helper with simple string arguments for the snippet name are not affected by this vulnerability.
Critical Impact
Attackers can exploit dynamic snippet name usage to traverse the file system and execute arbitrary PHP files, potentially leading to full server compromise through Local File Inclusion (LFI) and code execution.
Affected Products
- Kirby versions prior to 3.9.8.3
- Kirby versions prior to 3.10.1.2
- Kirby versions prior to 4.7.1
Discovery Timeline
- 2025-05-13 - CVE-2025-30159 published to NVD
- 2025-08-26 - Last updated in NVD database
Technical Details for CVE-2025-30159
Vulnerability Analysis
This path traversal vulnerability (CWE-22) allows attackers to escape the intended snippets directory by manipulating dynamic snippet names. When a Kirby site uses patterns such as snippet('tags-' . get('tags')) where the snippet name incorporates user-controlled input, an attacker can inject path traversal sequences to access arbitrary files on the server.
The vulnerability requires an existing attack vector in the site code—specifically, the use of dynamic snippet names that incorporate request or user data without proper validation. While exploitation also typically requires knowledge of the site structure and server file system, attackers can discover vulnerable setups through automated fuzzing techniques.
The impact is significant: successful exploitation allows reading of sensitive files and execution of PHP code outside the intended snippets directory, potentially compromising the entire server.
Root Cause
The root cause of CVE-2025-30159 is the absence of a path traversal validation check when resolving snippet paths. When the snippet() helper or $kirby->snippet() method receives a dynamically constructed snippet name, it fails to verify that the resolved path remains within the configured snippets root directory. This allows path traversal sequences (such as ../) embedded in user input to escape the intended directory boundary.
Attack Vector
The attack is network-based and requires no authentication. An attacker identifies a Kirby site using dynamic snippet names with user-controllable input, then crafts a malicious request containing path traversal sequences to access files outside the snippets root.
For example, if a site uses snippet('tags-' . get('tags')), an attacker could provide a tags parameter containing path traversal sequences like ../../config/config to access configuration files or ../../../etc/passwd to read system files. If the traversed path points to a PHP file, that code will be executed in the context of the web server.
The vulnerability mechanism works as follows: when user input such as ../../../malicious-file is passed to the snippet function, the resulting path escapes the snippets directory, allowing file access and PHP code execution outside intended boundaries. See the GitHub Security Advisory for complete technical details.
Detection Methods for CVE-2025-30159
Indicators of Compromise
- HTTP requests containing path traversal sequences (../, ..%2f, ..%5c) in GET or POST parameters used by snippet functions
- Unusual file access patterns in web server logs indicating attempts to reach files outside the web root
- PHP errors or warnings related to file inclusion from unexpected directories
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal sequences in request parameters
- Monitor web server access logs for requests containing encoded or unencoded directory traversal patterns
- Review application code for usage of snippet() or $kirby->snippet() with dynamic, user-controlled parameters
Monitoring Recommendations
- Enable detailed PHP error logging and monitor for file inclusion warnings from unexpected paths
- Configure intrusion detection systems to alert on path traversal attack signatures
- Implement file integrity monitoring on sensitive server directories to detect unauthorized access
How to Mitigate CVE-2025-30159
Immediate Actions Required
- Upgrade Kirby to version 3.9.8.3, 3.10.1.2, or 4.7.1 or later immediately
- Audit site code for usage of dynamic snippet names with user-controlled input
- Implement input validation to sanitize any user data used in snippet name construction
Patch Information
The Kirby maintainers have addressed this vulnerability in versions 3.9.8.3, 3.10.1.2, and 4.7.1. The fix adds a validation check for snippet paths that ensures the resulting path is contained within the configured snippets root directory. Snippet paths that point outside of the snippets root will not be loaded.
Patch releases are available:
Workarounds
- Avoid using dynamic snippet names that incorporate user-controlled input until patching is complete
- Implement strict allowlisting for any user input that affects snippet selection
- Use a web application firewall to block requests containing path traversal patterns
# Example: Updating Kirby via Composer to patched version
composer update getkirby/kirby --with-dependencies
# Verify installed version
composer show getkirby/kirby | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
