laravel/framework-v8.83.25: 7 vulnerabilities (highest severity is: 9.8) #53
Description
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (laravel/framework-v8.83.25 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-27515 |  Critical |
9.8 | laravel/framework-v8.83.25 | Direct | v12.1.1,v11.44.1 | ❌ |
| CVE-2024-52301 |  High |
7.5 | laravel/framework-v8.83.25 | Direct | N/A | ❌ |
| CVE-2025-64500 | High |
7.3 | symfony/http-foundation-v5.4.20 | Transitive | N/A* | ❌ |
| CVE-2025-22145 | High |
7.3 | nesbot/carbon-2.62.1 | Transitive | N/A* | ❌ |
| CVE-2025-46734 |  Medium |
6.4 | league/commonmark-2.3.5 | Transitive | N/A* | ❌ |
| CVE-2024-50345 |  Low |
3.1 | symfony/http-foundation-v5.4.20 | Transitive | N/A* | ❌ |
| CVE-2024-51736 | Low |
0.0 | symfony/process-v5.4.11 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-27515
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When using wildcard validation to validate a given file or image field ("files.*"), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Publish Date: 2025-03-05
URL: CVE-2025-27515
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-wppf-gqj5-fc4f
Release Date: 2025-03-05
Fix Resolution: v12.1.1,v11.44.1
Step up your Open Source Security Game with Mend here
CVE-2024-52301
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Publish Date: 2024-11-12
URL: CVE-2024-52301
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2025-64500
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/http-foundation-v5.4.20 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the "Request" class improperly interprets some "PATH_INFO" in a way that leads to representing some URLs with a path that doesn't start with a "/". This can allow bypassing some access control rules that are built with this "/"-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the "Request" class now ensures that URL paths always start with a "/".
Publish Date: 2025-11-12
URL: CVE-2025-64500
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rg7-wf37-54rm
Release Date: 2025-11-12
Fix Resolution: symfony/symfony - v7.3.7,symfony/symfony - v5.4.50,symfony/http-foundation - v6.4.29,symfony/http-foundation - v5.4.50,symfony/http-foundation - v7.3.7,symfony/symfony - v6.4.29
Step up your Open Source Security Game with Mend here
CVE-2025-22145
Vulnerable Library - nesbot/carbon-2.62.1
An API extension for DateTime that supports 281 different languages.
Library home page: https://api.github.com/repos/CarbonPHP/carbon/zipball/01bc4cdefe98ef58d1f9cb31bdbbddddf2a88f7a
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ nesbot/carbon-2.62.1 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Publish Date: 2025-01-08
URL: CVE-2025-22145
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-j3f9-p6hm-5w6q
Release Date: 2025-01-08
Fix Resolution: 2.72.6,3.8.4
Step up your Open Source Security Game with Mend here
CVE-2025-46734
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ league/commonmark-2.3.5 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as "html_input: 'strip'" and "allow_unsafe_links: false" to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with "on" are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added "href" and "src" attributes now respect the existing "allow_unsafe_links" configuration option. If upgrading is not feasible, please consider disabling the "AttributesExtension" for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.
Publish Date: 2025-05-05
URL: CVE-2025-46734
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-3527-qv2q-pfvx
Release Date: 2025-05-05
Fix Resolution: league/commonmark - 2.7.0
Step up your Open Source Security Game with Mend here
CVE-2024-50345
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/http-foundation-v5.4.20 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50345
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2024-51736
Vulnerable Library - symfony/process-v5.4.11
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/6e75fe6874cbc7e4773d049616ab450eff537bf1
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/process-v5.4.11 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-51736
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
Step up your Open Source Security Game with Mend here