CVE-2025-60790: 
PHP vulnerability analysis and mitigation

ProcessWire CMS 3.0.246 contains a vulnerability (CVE-2025-60790) that allows a low-privileged user with lang-edit permission to trigger a Denial of Service (DoS) condition through unlimited pre-validation ZIP extraction in the Language Support component. The vulnerability was discovered by Md. Moniruzzaman Prodhan and affects version 3.0.246 of ProcessWire CMS (GitHub Issue).

The vulnerability exists in WireUpload::saveUploadZip() and WireFileTools::unzip() components. The system extracts user-supplied ZIP files before any validation and without resource limits. The unzip() routine only applies a simple '..' substring guard with no checks on total uncompressed size, number of entries, directory depth, or extraction time. The vulnerability is classified under CWE-409 (Improper Handling of Highly Compressed Data) (GitHub Issue).

The vulnerability can lead to significant resource exhaustion affecting both CPU and disk usage. A small ZIP file (below typical upload caps of 40 MB) can expand to multi-GB during extraction in site/assets/files/.zip_tmp/, causing request-time CPU/disk spikes and observable slowdown across admin/site. If extraction grows to partition's free space, it can trigger disk exhaustion cascade leading to caching failures, session write errors, and forced logouts (GitHub Issue).

No official patches or mitigations have been publicly disclosed at the time of this report (GitHub Issue).