Login Sign Up

CVE-2025-27515

9.8 CRITICAL

📋 TL;DR

A validation bypass vulnerability in Laravel's wildcard file validation allows attackers to upload malicious files by crafting specific request patterns. This affects Laravel applications using wildcard validation (files.*) for file uploads. All applications using vulnerable Laravel versions with file upload functionality are potentially affected.

💻 Affected Systems

Products:
  • Laravel Framework
Versions: Laravel 11.x before 11.44.1, Laravel 12.x before 12.1.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using wildcard validation patterns like 'files.*' for file upload validation.

📦 What is this software?

Framework by Laravel

View all CVEs affecting Framework →

Framework by Laravel

View all CVEs affecting Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via malicious file upload leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Malicious file upload leading to server-side request forgery, local file inclusion, or denial of service attacks.

🟢

If Mitigated

Limited impact if additional file type/size validation, proper file storage isolation, and web server security controls are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires file upload functionality with wildcard validation. No public exploit code available at advisory publication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Laravel 11.44.1 or Laravel 12.1.1

Vendor Advisory: https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4

Restart Required: No

Instructions:

1. Update Laravel via composer: 'composer require laravel/framework:^11.44.1' or 'composer require laravel/framework:^12.1.1'. 2. Run 'composer update'. 3. Clear cache: 'php artisan config:clear' and 'php artisan cache:clear'.

🔧 Temporary Workarounds

Manual validation without wildcards

all

Replace wildcard validation with explicit field validation for each file upload field

Additional server-side file validation

all

Implement server-side file type checking and size validation after Laravel validation

🧯 If You Can't Patch

  • Implement strict web server file upload restrictions (size, type, location)
  • Use WAF rules to block suspicious file upload patterns and validate file signatures

🔍 How to Verify

Check if Vulnerable:

Check Laravel version in composer.json or run 'php artisan --version'. Verify if using wildcard file validation patterns.

Check Version:

php artisan --version

Verify Fix Applied:

Confirm Laravel version is 11.44.1+ or 12.1.1+ via 'php artisan --version'. Test file upload validation with crafted requests.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload patterns with array notation
  • Failed validation attempts with crafted field names
  • Unexpected file types in upload directories

Network Indicators:

  • HTTP POST requests with crafted file field names containing wildcard bypass patterns

SIEM Query:

source="web_logs" AND (method="POST" AND uri="*/upload" AND (form_data LIKE "%files[%" OR form_data LIKE "%files.*%"))

📊 Metadata

CVE ID: CVE-2025-27515
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-155
EPSS Score: 0.15% exploit probability (36th percentile)
Published: March 5, 2025
Last Updated: August 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27515, you might also want to check these:

CVE-2024-47791 7.5

This vulnerability in Ruijie Reyee OS allows attackers to subscribe to partial MQTT topics and inter...

Same vulnerability type (CWE-155)
CVE-2024-8688 4.4

This vulnerability allows authenticated administrators (including read-only admins) with CLI access ...

Same vulnerability type (CWE-155)