Miggo Logo
Miggo Vulnerability Database
CVE-2025-60790

CVE-2025-60790: ProcessWire CMS vulnerable to resource-exhaustion Denial of Service

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-60790
GHSA ID
GHSA-9p44-q66p-xm6p
EPSS Score
-
CWE
CWE-409
Published
10/21/2025
Updated
10/21/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
processwire/processwirecomposer<= 3.0.246

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability analysis was based on the detailed security advisory found within the GitHub issue #2120. Although no specific commit patch was available, the issue content, reported by a security researcher, provided explicit details about the root cause and the functions involved. The core of the vulnerability lies in the unrestricted extraction of ZIP archives, a classic 'zip bomb' scenario leading to resource exhaustion.

The investigation identified two primary vulnerable functions: WireUpload::saveUploadZip and WireFileTools::unzip. WireUpload::saveUploadZip acts as the entry point, accepting a user-provided ZIP file (in the context of language pack uploads) and passing it directly to WireFileTools::unzip for extraction without any prior validation. The WireFileTools::unzip function then extracts the archive without imposing any limits on file count, size, or compression ratio, which is the direct cause of the Denial of Service. A third function, ProcessModuleInstall::unzipModule, was also identified as a potential entry point for the same vulnerability, as mentioned in the report. The file paths for these functions were determined based on ProcessWire's consistent class-to-file naming convention. The absence of a patch indicates that the vulnerability may be unpatched in the specified version range.

Vulnerable functions

WireUpload::saveUploadZip
wire/core/WireUpload.php
This function is the initial entry point for the vulnerability. It handles the uploaded ZIP file for language packs, saves it, and directly calls the `unzip` method without performing any validation on the archive's size or content. This allows a malicious ZIP bomb to be passed to the extraction function.
WireFileTools::unzip
wire/core/WireFileTools.php
This function is responsible for extracting the contents of the ZIP archive. It does so without any limits on the uncompressed size, number of files, or extraction time. A highly compressed ZIP file (a 'zip bomb') can be crafted to expand to an enormous size, consuming all available disk space and CPU resources, leading to a denial of service.
ProcessModuleInstall::unzipModule
wire/modules/Process/ProcessModule/ProcessModuleInstall.php
This function serves as an alternative entry point for the vulnerability. It is used for installing modules from a ZIP file. The vulnerability report indicates that this path also calls the insecure `WireFileTools::unzip` function, allowing a user with module installation permissions to trigger the same resource exhaustion denial of service.

WAF Protection Rules

WAF Rule

Pro**ssWir* *MS *.*.*** *llows * low-privil**** us*r wit* l*n*-**it to uplo** * *r**t** ZIP to L*n*u*** Support t**t is *uto-*xtr**t** wit*out limits prior to v*li**tion, *n**lin* r*sour**-*x**ustion **ni*l o* S*rvi**.

Reasoning

T** vuln*r**ility *n*lysis w*s **s** on t** **t*il** s**urity **visory *oun* wit*in t** *it*u* issu* #****. *lt*ou** no sp**i*i* *ommit p*t** w*s *v*il**l*, t** issu* *ont*nt, r*port** *y * s**urity r*s**r***r, provi*** *xpli*it **t*ils **out t** roo