Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-30159
CVE-2025-30159:
PHP vulnerability analysis and mitigation
Overview
Kirby, an open-source content management system, was found to contain a path traversal vulnerability (CVE-2025-30159) affecting versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1. The vulnerability was discovered and disclosed on May 13, 2025, specifically impacting sites that use the snippet() helper or $kirby->snippet() method with dynamic snippet names. Sites using only fixed calls to these methods with simple string names are not affected (GitHub Advisory, Wiz).
Technical details
The vulnerability stems from a missing path traversal check in the snippet handling functionality. When the snippet() helper or $kirby->snippet() method is called with dynamic snippet names (such as names depending on request or user data), attackers could use special elements like '..' and '/' separators to navigate outside the restricted location. The vulnerability has been assigned CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-23 (Relative Path Traversal) classifications, with a CVSS v4.0 score of 6.3 (Medium) (GitHub Advisory).
Impact
When exploited, the vulnerability allows attackers to access all files on the server that are accessible to the PHP process, including files outside of the snippets root or the Kirby installation. PHP code within accessed files could be executed, potentially compromising the server's confidentiality and integrity. The attack could enable mapping of the server's file system, access to sensitive configuration files containing security tokens, and unintended execution of PHP scripts (GitHub Advisory, Wiz).
Mitigation and workarounds
The vulnerability has been patched in Kirby versions 3.9.8.3, 3.10.1.2, and 4.7.1. The fix implements a check for the snippet path that ensures the resulting path is contained within the configured snippets root. Users should update to one of these or later versions. For sites that deliberately use path traversal, alternative approaches are recommended, such as using require __DIR__ . '/other-template.php' or overriding the $page->template() method (GitHub Advisory).
Community reactions
The security community acknowledged the responsible disclosure by Bruno Meilick (@bnomei) and Tobias Möritz (@tobimori), who were credited for bringing this attack vector to attention and providing input on the effects on site code (GitHub Release).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management