CVE-2025-56399

CVE-2025-56399, published on 2025-10-28, is a code injection vulnerability (CWE-94) in the alexusmai/laravel-file-manager package, affecting version 3.3.1 and prior releases. It enables remote code execution (RCE) through a crafted file upload in the file manager interface. The issue stems from inadequate server-side validation, where files disguised with a .png extension but containing PHP code can bypass client-side checks and be stored on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

An authenticated attacker with low privileges can exploit this by uploading the malicious .png file via the file manager. After the file is saved despite apparent client-side failure, the attacker leverages the rename API endpoint to modify the extension to .php. Accessing the renamed file through its public URL then causes the server to execute the embedded PHP code, potentially granting full control over the application server, including data exfiltration, persistence, or further lateral movement.

Mitigation details and advisories are available from the vendor at http://laravel-file-manager.com and the GitHub proof-of-concept repository at https://github.com/Theethat-Thamwasin/CVE-2025-56399. Security practitioners should review these sources for patches, upgrades, or workarounds specific to the affected Laravel file manager installations.