Kirby CMS Denial-of-Service Vulnerability via Malformed Image Upload

A persistent denial-of-service vulnerability has been identified in Kirby CMS versions through 5.1.4. The issue allows an authenticated user with 'Editor' permissions to cause a crash by uploading a malformed image file. Kirby CMS processes uploaded images using PHP's getimagesize() function, which can return false for invalid images. However, this return value is not properly validated before the application attempts to generate thumbnails or process metadata, leading to a fatal TypeError. The resulting crash persists across page reloads until the problematic file is manually deleted from the filesystem.

Impact

Exploitation of this vulnerability causes a persistent denial-of-service condition, where affected pages return an HTTP 500 error until the malformed file is removed.

Reproduction

To reproduce this vulnerability, an authenticated user with 'Editor' permissions can upload a malformed image file with a valid image extension, such as .jpg. The Kirby CMS will process the file using the getimagesize() function, which will return false instead of a valid array. This unvalidated return value will cause a TypeError when the system tries to generate a thumbnail or process the image's metadata, resulting in a server error.

Remediation

Users can upgrade to Kirby CMS version 5.2.0-rc.1, where this vulnerability has been fixed.