-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability analysis was based on the detailed security advisory found within the GitHub issue #2120. Although no specific commit patch was available, the issue content, reported by a security researcher, provided explicit details about the root cause and the functions involved. The core of the vulnerability lies in the unrestricted extraction of ZIP archives, a classic 'zip bomb' scenario leading to resource exhaustion.
The investigation identified two primary vulnerable functions: WireUpload::saveUploadZip and WireFileTools::unzip. WireUpload::saveUploadZip acts as the entry point, accepting a user-provided ZIP file (in the context of language pack uploads) and passing it directly to WireFileTools::unzip for extraction without any prior validation. The WireFileTools::unzip function then extracts the archive without imposing any limits on file count, size, or compression ratio, which is the direct cause of the Denial of Service. A third function, ProcessModuleInstall::unzipModule, was also identified as a potential entry point for the same vulnerability, as mentioned in the report. The file paths for these functions were determined based on ProcessWire's consistent class-to-file naming convention. The absence of a patch indicates that the vulnerability may be unpatched in the specified version range.
WireUpload::saveUploadZipwire/core/WireUpload.php
WireFileTools::unzipwire/core/WireFileTools.php
ProcessModuleInstall::unzipModulewire/modules/Process/ProcessModule/ProcessModuleInstall.php
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| processwire/processwire | composer | <= 3.0.246 |
Ongoing coverage of React2Shell