CVE-2025-31493: Kirby vulnerable to path traversal of collection names during file system lookup
The missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the collections root or even outside of the Kirby installation. PHP code within such files was executed.
Such attacks first require an attack vector in the site code that is caused by dynamic collection names, such as collection('tags-' . get('tags')). It generally also requires knowledge of the site structure and the server’s file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing.
In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server, for example:
- it could allow the attacker to build a map of the server’s file system for subsequent attacks,
- it could allow access to configuration files that may contain sensitive information like security tokens or
- it could cause the unintended execution of PHP scripts.
References
- github.com/advisories/GHSA-x275-h9j4-7p4h
- github.com/getkirby/kirby
- github.com/getkirby/kirby/commit/95a51480a426a8ed0df799cc017403be9b987ced
- github.com/getkirby/kirby/releases/tag/3.10.1.2
- github.com/getkirby/kirby/releases/tag/3.9.8.3
- github.com/getkirby/kirby/releases/tag/4.7.1
- github.com/getkirby/kirby/security/advisories/GHSA-x275-h9j4-7p4h
- nvd.nist.gov/vuln/detail/CVE-2025-31493
Code Behaviors & Features
Detect and mitigate CVE-2025-31493 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →