3.10.1.2
dba5ea8 
lukasbestle
Lukas Bestle
🚨 Security
This release fixes three path traversal vulnerabilities in the Kirby core:
| Description | Severity | CVE ID |
|---|---|---|
| Path traversal of snippet names during file system lookup | Medium (6.3) | CVE-2025-30159 |
| Path traversal of collection names during file system lookup | Medium (6.3) | CVE-2025-31493 |
| Path traversal in the router for PHP's built-in server | Low (2.3) | CVE-2025-30207 |
TL;DR
The first two vulnerabilities only affect Kirby sites that call the snippet() or collection() helpers with dynamic name values that could be controlled by an attacker. Sites that only use fixed calls to the snippet() or collection() helpers (i.e. calls with a simple string for the snippet/collection name) are not affected.
The last vulnerability only affects Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development.
Impact
All three vulnerabilities have in common that they can be exploited via path traversal. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location.
The missing path traversal checks allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the relevant system roots or even outside of the Kirby installation. Depending on the vulnerability, the existence of the traversed file could be revealed or contained PHP code could be executed.
You can read more about the vulnerabilities and their impact in the security advisories linked above.
Credits
Thanks to Bruno Meilick (@bnomei) and Tobias Möritz (@tobimori) for their responsible disclosure and for bringing this type of attack vector to our attention.
Note
If you deliberately use path traversal with the snippet() helper in your projects, these uses will break after updating to this patched version. You can read more about this and possible alternatives in the security advisory.
