CVE-2025-27515
Published: 05 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-27515 is a high-severity vulnerability in Laravel, a popular PHP web application framework. It affects applications using wildcard validation rules for file or image fields, such as `files.*`. A user-crafted malicious request can bypass these validation rules, enabling unauthorized handling of invalid or malicious uploads. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-155. It was published on 2025-03-05 and resolved in Laravel versions 11.44.1 and 12.1.1.
Unauthenticated attackers with network access can exploit this vulnerability by submitting specially crafted requests to endpoints performing wildcard file validation. Successful exploitation allows bypassing intended security checks on uploaded files or images, potentially leading to severe impacts including high confidentiality, integrity, and availability compromises, such as executing arbitrary code, data exfiltration, or server disruption depending on the application's configuration.
The official Laravel security advisory (GHSA-78fx-h6xr-vch4) and the fixing commit (2d133034fefddfb047838f4caca3687a3ba811a5) recommend upgrading to Laravel 11.44.1 or 12.1.1 to mitigate the issue. No additional workarounds are specified in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote unauthenticated bypass of file upload validation in a public-facing Laravel web application, directly enabling T1190 (Exploit Public-Facing Application) with potential for arbitrary code execution or other impacts.