FKIE_CVE-2025-56399

Vulnerability from fkie_nvd - Published: 2025-10-28 16:15 - Updated: 2025-10-30 15:05
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code.
References
cve@mitre.orghttp://laravel-file-manager.com
cve@mitre.orghttps://github.com/Theethat-Thamwasin/CVE-2025-56399
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a \u0027.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code."
    },
    {
      "lang": "es",
      "value": "alexusmai laravel-file-manager 3.3.1 y versiones anteriores permite a un atacante autenticado lograr la Ejecuci\u00f3n Remota de C\u00f3digo (RCE) a trav\u00e9s de una carga de archivo manipulada. Un archivo con una extensi\u00f3n \u0027.png\u0027 que contiene c\u00f3digo PHP puede ser cargado a trav\u00e9s de la interfaz del gestor de archivos. Aunque la carga parece fallar la validaci\u00f3n del lado del cliente, el archivo a\u00fan se guarda en el servidor. El atacante puede entonces usar la API de renombrado para cambiar la extensi\u00f3n del archivo a \u0027.php\u0027, y al acceder a \u00e9l a trav\u00e9s de una URL p\u00fablica, el servidor ejecuta el c\u00f3digo incrustado."
    }
  ],
  "id": "CVE-2025-56399",
  "lastModified": "2025-10-30T15:05:32.197",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-28T16:15:38.543",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://laravel-file-manager.com"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/Theethat-Thamwasin/CVE-2025-56399"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.