GHSA-3vwr-jj4f-h98x
eZ Publish Remote code execution in file uploads
Blast Radius
ezsystems/ezpublish-kernel🐘ezsystems/ezpublish-kernel🐘ezsystems/ezpublish-kernelReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
This Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if you have strict controls on this and trust all who have this permission, you're not affected. On the basis of the tests we have made, we also believe the vulnerability cannot be exploited as long as our recommended vhost configuration is used. Here is the v2.5 recommendation for Nginx, as an example:
https://github.com/ezsystems/ezplatform/blob/2.5/doc/nginx/vhost.template#L31
This vhost template specifies that only the file app.php in the web root is executed, while vulnerable configurations allow execution of any php file. Apache is affected in the same way as Nginx, and is also protected by using the recommended configuration. The build-in webserver in PHP stays vulnerable, as it doesn't use this type of configuration (this webserver should only be used for development, never for production). We cannot be 100% certain our configuration is not vulnerable. We also do not know if all our users use the recommended configuration, so we send out this fix to be on the safe side.
The fix includes a blacklist feature for uploaded filenames, such as ".php". The file types on the blacklist cannot be uploaded. The blacklist is configurable. In eZ Platform you will find it as ezsettings.default.io.file_storage.file_type_blacklist in eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml in vendors/ezsystems/ezpublish-kernel. In eZ Publish Legacy you will find it as FileExtensionBlackList in settings/file.ini. By default it blocks these file types: php, php3, phar, phpt, pht, phtml, pgif. The fix also inclues a new block against path traversal attacks, though this kind of attack was not reproducible in our tests.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | ezsystems/ezpublish-kernel | ≥ 7.5.0&&< 7.5.6.2 | 7.5.6.2 |
| 🐘Packagist | ezsystems/ezpublish-kernel | ≥ 6.13.0&&< 6.13.6.2 | 6.13.6.2 |
| 🐘Packagist | ezsystems/ezpublish-kernel | ≥ 5.4.0&&< 5.4.14.1 | 5.4.14.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ezsystems/ezpublish-kernel. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update ezsystems/ezpublish-kernel to 7.5.6.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3vwr-jj4f-h98x is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-3vwr-jj4f-h98x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-3vwr-jj4f-h98x. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-3vwr-jj4f-h98x in your dependencies?
O3 detects GHSA-3vwr-jj4f-h98x across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.