GHSA-J3F9-P6HM-5W6Q

Vulnerability from github – Published: 2025-01-08 21:03 – Updated: 2025-02-25 18:39
VLAI?
Summary
Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale
Details

Impact

Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers.

Patches

Workarounds

Any of the below actions can be taken to prevent the issue: - Validate input before calling setLocale(), for instance by forbidding or removing / and \ - Call setLocale() only with a locale from a whitelist of supported locales - When uploading files, rename them so they cannot have a .php extension (this is recommended even if you're not affected by this issue) - Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually live outside of the application basedir)

References

https://en.wikipedia.org/wiki/File_inclusion_vulnerability

Credits

Thanks to Szczepan Hołyszewski who reported the issue and to Tidelift to coordinate the resolution

Severity ?
6.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "nesbot/carbon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "nesbot/carbon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.72.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-22145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-98"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-08T21:03:28Z",
    "nvd_published_at": "2025-01-08T21:15:13Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nApplication passing unsanitized user input to `Carbon::setLocale` are at risk of arbitrary file include, if the application allows users to upload files with `.php` extension in an folder that allows `include` or `require` to read it, then they are at risk of arbitrary code ran on their servers.\n\n### Patches\n- [3.8.4](https://github.com/briannesbitt/Carbon/releases/tag/3.8.4)\n- [2.72.6](https://github.com/briannesbitt/Carbon/releases/tag/2.72.6)\n\n### Workarounds\nAny of the below actions can be taken to prevent the issue:\n- Validate input before calling `setLocale()`, for instance by forbidding or removing `/` and `\\`\n- Call `setLocale()` only with a locale from a whitelist of supported locales\n- When uploading files, rename them so they cannot have a `.php` extension (this is recommended even if you\u0027re not affected by this issue)\n- Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually live outside of the application basedir)\n\n### References\nhttps://en.wikipedia.org/wiki/File_inclusion_vulnerability\n\n### Credits\nThanks to **Szczepan Ho\u0142yszewski** who reported the issue and to Tidelift to coordinate the resolution",
  "id": "GHSA-j3f9-p6hm-5w6q",
  "modified": "2025-02-25T18:39:47Z",
  "published": "2025-01-08T21:03:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/CarbonPHP/carbon"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00032.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.