CVE-2025-62798
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in the Sharp Laravel package allows attackers to inject malicious JavaScript or HTML that executes in users' browsers when viewing content rendered by the SharpShowTextField component. The vulnerability affects all Laravel applications using Sharp versions prior to 9.11.1 where the vulnerable component is used to display user-controlled content.
💻 Affected Systems
- code16/sharp (Laravel package)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or deface the application interface.
Likely Case
Attackers with access to input fields using SharpShowTextField could inject scripts that steal user data or perform unauthorized actions in the context of other users.
If Mitigated
With proper input validation and output encoding, the impact is limited to specific fields where user input is directly rendered without sanitization.
🎯 Exploit Status
Exploitation requires the ability to inject content that gets rendered by the vulnerable component. This typically requires some level of access to input fields or data storage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.11.1
Vendor Advisory: https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7
Restart Required: No
Instructions:
1. Update your composer.json to require 'code16/sharp: ^9.11.1'. 2. Run 'composer update code16/sharp'. 3. Clear Laravel cache with 'php artisan cache:clear'. 4. Verify the update with 'composer show code16/sharp'.
🔧 Temporary Workarounds
Implement Output Encoding
allManually encode user input before passing it to SharpShowTextField components to prevent Vue from evaluating expressions.
Disable Vulnerable Components
allReplace SharpShowTextField usage with alternative components that properly sanitize output.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-controlled content rendered by SharpShowTextField components.
- Use Content Security Policy (CSP) headers to restrict script execution and mitigate potential XSS impact.
🔍 How to Verify
Check if Vulnerable:
Check your composer.lock file for 'code16/sharp' version. If version is below 9.11.1 and you use SharpShowTextField, you are vulnerable.Check Version:
composer show code16/sharp | grep versionsVerify Fix Applied:
Run 'composer show code16/sharp' and verify version is 9.11.1 or higher. Test that expressions wrapped in {{ & }} no longer execute when rendered.📡 Detection & Monitoring
Log Indicators:
- Unusual content patterns in fields using SharpShowTextField
- Multiple failed attempts to inject script-like content
Network Indicators:
- Unexpected external script loads from your application domain
- Suspicious outbound requests from user sessions
SIEM Query:
source='application_logs' AND (message LIKE '%{{%}}%' OR message LIKE '%script%') AND component='SharpShowTextField'