Skip to content

Bump getkirby/cms from 4.1.0 to 4.7.1 #92

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump getkirby/cms from 4.1.0 to 4.7.1 #92

wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 13, 2025

Bumps getkirby/cms from 4.1.0 to 4.7.1.

Release notes

Sourced from getkirby/cms's releases.

4.7.1

🚨 Security

This release fixes three path traversal vulnerabilities in the Kirby core:

Description Severity CVE ID
Path traversal of snippet names during file system lookup Medium (6.3) CVE-2025-30159
Path traversal of collection names during file system lookup Medium (6.3) CVE-2025-31493
Path traversal in the router for PHP's built-in server Low (2.3) CVE-2025-30207

TL;DR

The first two vulnerabilities only affect Kirby sites that call the snippet() or collection() helpers with dynamic name values that could be controlled by an attacker. Sites that only use fixed calls to the snippet() or collection() helpers (i.e. calls with a simple string for the snippet/collection name) are not affected.

The last vulnerability only affects Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development.

Impact

All three vulnerabilities have in common that they can be exploited via path traversal. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location.

The missing path traversal checks allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the relevant system roots or even outside of the Kirby installation. Depending on the vulnerability, the existence of the traversed file could be revealed or contained PHP code could be executed.

You can read more about the vulnerabilities and their impact in the security advisories linked above.

Credits

Thanks to Bruno Meilick (@​bnomei) and Tobias Möritz (@​tobimori) for their responsible disclosure and for bringing this type of attack vector to our attention.

[!NOTE] If you deliberately use path traversal with the snippet() helper in your projects, these uses will break after updating to this patched version. You can read more about this and possible alternatives in the security advisory.

✨ Enhancements

  • Improve $page->dirname()/diruri() docblocks #7102

🐛 Bug fixes

  • Fix block selector not closing after pasting block #7087 (thanks to @​fnwbr)
  • Media::thumb(): Fix passing File $model and test logic #7142
  • Fix duplicated slash in the router.php for the built-in PHP server #7188

🧹 Housekeeping

... (truncated)

Commits
  • 053f21f Merge pull request #7213 from getkirby/release/4.7.1
  • e320f5d fix: cs issues
  • 1be08de Preflight for 4.7.1
  • 3011110 Merge branch 'release/4.7.1' into develop-patch
  • ecb6bc3 Merge pull request #7188 from getkirby/fix/router-double-slash
  • 4411344 Remove duplicated slash from router script
  • 3251a72 Merge pull request #7143 from getkirby/fix/tests-vite-running
  • fbb0b0b Cleanup
  • 2c876dc Adapt tests to be executable independently
  • 3f35d84 Reset Vite dev mode after PHPUnit tests
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump getkirby/cms from 4.1.0 to 4.7.1
46dde8b 
Bumps [getkirby/cms](https://github.com/getkirby/kirby) from 4.1.0 to 4.7.1.
- [Release notes](https://github.com/getkirby/kirby/releases)
- [Commits](getkirby/kirby@4.1.0...4.7.1)

---
updated-dependencies:
- dependency-name: getkirby/cms
  dependency-version: 4.7.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant