CVE-2025-66509

CVE-2025-66509 affects LaraDashboard, an all-in-one solution for starting Laravel applications, in versions 2.3.0 and earlier. The vulnerability resides in the password reset flow, which improperly trusts the Host header. This flaw enables attackers to redirect an administrator's reset token to a server under their control. When combined with the module installation process, it triggers automatic execution of the ServiceProvider::boot() method, resulting in arbitrary PHP code execution. The issue is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By manipulating the Host header during the password reset process, they can intercept the administrator's reset token and redirect it to their own server. Subsequent integration with module installation allows the attacker to craft a malicious module that executes arbitrary PHP code upon booting the ServiceProvider, potentially leading to full server compromise, data theft, or further persistence.

Mitigation details are provided in the LaraDashboard GitHub security advisory (GHSA-j9mm-c9cj-pc82) and a related commit (cc42f9cdf8e59bce794ee2d812a9709b1e6efa87), which address the Host header trust issue in the password reset flow. Security practitioners should update to a patched version beyond 2.3.0 and review configurations for Host header validation in Laravel-based applications.