CVE-2025-60790

Vulnerability

Details

ProcessWire CMS 3.0.246 contains a denial-of-service vulnerability in its archive handling. The core issue lies in WireFileTools::unzip(), which extracts user-supplied ZIP archives before any validation and without resource limits. Specifically, WireUpload::saveUploadZip() writes uploaded archives to a temporary directory and immediately calls unzip(), which iterates all ZIP entries and extracts them using ZipArchive::extractTo(). The only guard is a check for .. in entry names; there are no limits on total uncompressed size, number of entries, directory depth, or extraction time [1][3][4].

Exploitation

The attack surface is accessible to low-privileged users with the lang-edit permission. These users can upload ZIP files through the Language Support file fields (e.g., Core Translation Files or Site Translation Files) under Setup → Languages. The uploaded ZIP is automatically extracted without any pre-validation. An attacker can craft a ZIP bomb—a small archive that expands to gigabytes of data—causing resource exhaustion on the server's CPU and disk [3][4].

Impact

Successful exploitation leads to a denial-of-service condition due to resource exhaustion. The CVSS score is 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating no confidentiality or integrity impact but high availability impact [1]. No authentication bypass or data access is achieved; the attack solely disrupts service.

Mitigation

As of the publication date, no official patch has been released for ProcessWire 3.0.246. The issue is documented in the project's issue tracker [4]. Administrators are advised to restrict the lang-edit permission to trusted users only or to disable ZIP uploads in Language Support if not required. The vendor may address this in a future release.