Security update (3.4.5 and 2.5.14)

There are good days and then there are days when we get vulnerability reports.

We received a report yesterday that phar files can be uploaded in the Panel. We have all kinds of security checks for file uploads, but have to admit that phar files slip through those checks. phar files are basically PHP files and can be executed on the server. This is critical when you cannot fully trust your editor team in the Panel. Frontend users have no way to abuse this attack vector. It is only available for logged in users with permissions to upload files. An example would be a rouge team member in your company who just got fired and is now trying to take your site down as revenge before they loose access.

@lukasbestle instantly worked on a fix for v3 and I also created a fix for v2, which had the same issue. This security patch is now available in Kirby 3.4.5 and Kirby 2.5.14

We decided to release a fix for Kirby 2 as well although we are going to drop security support on December 31st. But we don’t want to leave this version with a known vulnerability.

Updates can be done in the same way as always:

v3: replace your kirby folder
v2: replace your kirby and panel folders

We are really sorry for this issue! We know how busy the last weeks of the year are for everyone and the last thing you need is a security update. :pensive:


We are really sorry for this issue!

Developers should never need to apologise for security updates.
Thanks for your continued vigilance on these matters and ensuring Kirby is rock solid! :grinning:

Best regards.



Thanks for the security updates and the last 2.x support. This is why I’ve chosen Kirby. But…
You’re mentioning

v2: replace your kirby and panel folders

I can’t see the “kirby” folder in the provided git update, only the “panel” folder
What’s the “tests” folder for?
I have 2.5.12 version installed but I can’t find either a 2.5.13 version or a complete 2.5.14 version. Many thanks. Nicolas

The Kirby folder is here:

complete Plainkit with both:

1 Like