CVE-2025-65346 – CVE-2025-65346 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2025-65346?

CVE-2025-65346 has a CVSS score of 9.1 (CRITICAL). CVE-2025-65346 is a directory traversal vulnerability in alexusmai/laravel-file-manager that allows attackers to write arbitrary files to any location on the server filesystem. This occurs due to insufficient validation of extraction paths in the unzip functionality. Any Laravel application using vulnerable versions of this file manager package is affected.

📋 TL;DR

CVE-2025-65346 is a directory traversal vulnerability in alexusmai/laravel-file-manager that allows attackers to write arbitrary files to any location on the server filesystem. This occurs due to insufficient validation of extraction paths in the unzip functionality. Any Laravel application using vulnerable versions of this file manager package is affected.

💻 Affected Systems

Products:

alexusmai/laravel-file-manager

Versions: 3.3.1 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Laravel applications using this specific file manager package. The vulnerability exists in the archive extraction functionality.

📦 What is this software?

Laravel File Manager by Alexusmai

View all CVEs affecting Laravel File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via arbitrary file write leading to remote code execution, data exfiltration, or system takeover.

🟠

Likely Case

Unauthorized file writes to sensitive directories, potentially leading to web shell deployment, data manipulation, or privilege escalation.

🟢

If Mitigated

Limited impact if file permissions restrict write access to critical system directories and proper input validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the file manager interface. Public proof-of-concept demonstrates the directory traversal technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.2 or later

Vendor Advisory: https://github.com/alexusmai/laravel-file-manager

Restart Required: No

Instructions:

1. Update composer.json to require 'alexusmai/laravel-file-manager:^3.3.2'. 2. Run 'composer update alexusmai/laravel-file-manager'. 3. Clear Laravel cache with 'php artisan cache:clear'.

🔧 Temporary Workarounds

Disable Archive Extraction

all

Temporarily disable the unzip/extract functionality in the file manager configuration.

Edit config/file-manager.php and set 'allow_upload' => false for zip files or disable extraction features

Input Validation Middleware

all

Implement custom middleware to validate extraction paths before processing.

Create middleware to sanitize and validate file extraction paths using realpath() and directory whitelisting

🧯 If You Can't Patch

Implement strict file permission controls to restrict write access to web directories only
Deploy web application firewall (WAF) rules to detect and block directory traversal patterns in file operations

🔍 How to Verify

Check if Vulnerable:

Check composer.lock or vendor/alexusmai/laravel-file-manager/composer.json for version <=3.3.1

Check Version:

composer show alexusmai/laravel-file-manager | grep versions

Verify Fix Applied:

Confirm version is 3.3.2 or higher in composer.lock and test archive extraction with malicious path payloads

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations outside expected directories
Archive extraction attempts with '../' patterns in paths
Failed permission errors for system directory writes

Network Indicators:

POST requests to file manager endpoints with archive files containing traversal paths

SIEM Query:

source='web_logs' AND (uri_path LIKE '%/laravel-file-manager%' AND (request_body LIKE '%..%' OR request_body LIKE '%zip%' OR request_body LIKE '%extract%'))

📊 Metadata

CVE ID: CVE-2025-65346

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

EPSS Score: 0.27% exploit probability (49.9th percentile)

Published: December 4, 2025

Last Updated: December 16, 2025

🔗 References

https://github.com/Theethat-Thamwasin/CVE-2025-65346 Third Party Advisory
https://github.com/alexusmai/laravel-file-manager Product
https://github.com/Theethat-Thamwasin/CVE-2025-65346/blob/main/POC-CVE-65346.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65346, you might also want to check these: