CVE-2025-60790: 
PHP vulnerability analysis and mitigation

ProcessWire CMS version 3.0.246 contains a vulnerability (CVE-2025-60790) discovered on October 21, 2025, that allows a low-privileged user with lang-edit permissions to trigger a resource-exhaustion Denial of Service attack. The vulnerability exists in the Language Support feature where a crafted ZIP file can be uploaded and auto-extracted without proper validation or resource limits (MITRE, GitHub Issue).

The vulnerability stems from improper handling of ZIP file extraction in the WireUpload::saveUploadZip() and WireFileTools::unzip() components. The system extracts user-supplied ZIP files before validation and without resource limits. The unzip() routine only implements a basic '..' substring guard without checks on total uncompressed size, number of entries, directory depth, or extraction time. The vulnerability has been assigned CWE-409 (Improper Handling of Highly Compressed Data) and received a CVSS v3.1 Base Score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Issue, NVD).

The vulnerability can cause significant system impact through request-time DoS affecting CPU and disk resources. A ZIP file below common upload limits (≤ 40 MB) can expand to multiple gigabytes during extraction, causing system-wide slowdown and potential service disruption. The issue can lead to disk exhaustion, causing cascading failures in caching, session management, image processing, and logging operations. Multiple parallel uploads can produce additive pressure, potentially saturating PHP-FPM workers and disk resources (GitHub Issue).

While no official patch has been confirmed, system administrators should implement strict file upload limits and carefully review permissions for users with lang-edit access. Additionally, monitoring system resource usage and implementing proper validation checks before ZIP extraction can help mitigate the risk (GitHub Issue).