2.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-30207

GHSA ID

GHSA-9p3p-w5jf-8xxg

EPSS Score

0.08585%

CWE

CWE-22

Published

5/13/2025

Updated

5/13/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30207

CVE-2025-30207: Kirby vulnerable to path traversal in the router for PHP's built-in server

TL;DR

This vulnerability affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development.

Sites that use other server software (such as Apache, nginx or Caddy) are not affected.

Introduction

For use with PHP's built-in web server, Kirby provides a router.php file. The router delegates requests to static files to PHP so that assets and other static files in the document root can be accessed by the browser.

This logic was vulnerable against path traversal attacks. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location.

Impact

The missing path traversal check allowed attackers to navigate all files on the server that were accessible to the PHP process, including files outside of the Kirby installation.

The vulnerable implementation delegated all existing files to PHP, including existing files outside of the document root. This leads to a different response that allows attackers to determine whether the requested file exists.

Because Kirby's router only delegates such requests to PHP and does not load or execute them, contents of the files were not exposed as PHP treats requests to files outside of the document root as invalid.

Patches

The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2 and Kirby 4.7.1. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have updated the router to check if existing static files are within the document root. Requests to files outside the document root are treated as page requests of the error page and will no longer allow to determine whether the file exists or not.

Miggo Vulnerability Database

→

CVE-2025-30207

CVE-2025-30207:

2.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-30207

GHSA ID

GHSA-9p3p-w5jf-8xxg

EPSS Score

0.08585%

CWE

CWE-22

Published

5/13/2025

Updated

5/13/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getkirby/cms	composer	< 3.9.8.3	3.9.8.3
getkirby/cms	composer	>= 3.10.0, < 3.10.1.2	3.10.1.2
getkirby/cms	composer	>= 4.0.0, < 4.7.1	4.7.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a path traversal issue within the router.php script provided by Kirby for use with PHP's built-in web server. The provided commit 3ebc9ad3f5adcbd4838ce60219f1c9a561231235 directly patches this file. The diff shows that the logic for checking if a requested URI corresponds to a static file was modified. Specifically, the original code used file_exists() with a path constructed from user input ($uri, derived from $_SERVER['REQUEST_URI']) without ensuring that this path resolved to a location within the document root. This allowed path traversal. The patch introduces checks using realpath() and substr() to validate that the file path is confined to the document root. Since the vulnerable logic is in the global execution scope of the router.php script and not within a specific user-defined function shown in the patch, the script router.php itself is identified as the vulnerable component. A runtime profiler would indicate execution within this script when the vulnerability is triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-30207: Kirby vulnerable to path traversal in the router for PHP's built-in server

TL;DR

Introduction

Impact

Patches

CVE-2025-30207:

2.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

2.3

2.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-30207: Kirby vulnerable to path traversal in the router for PHP's built-in server

TL;DR

Introduction

Impact

Patches

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI