CVE-2025-65346

alexusmai · laravel-file-manager

The alexusmai laravel-file-manager package (3.3.1 and below) is vulnerable to Directory Traversal, allowing arbitrary file writes during the unzip/extraction process.

Executive summary

A critical Directory Traversal vulnerability in alexusmai laravel-file-manager allows attackers to overwrite arbitrary files on the filesystem during archive extraction.

Vulnerability

The vulnerability exists within the unzip functionality, which fails to properly validate destination paths for extracted files. This allows an attacker to bypass directory restrictions and write malicious files to unintended locations on the server.

Business impact

A CVSS score of 9.1 underscores the severity of this flaw, as it facilitates arbitrary file writing, which can lead to Remote Code Execution (RCE) via web shell deployment. The potential for total system compromise makes this a high-priority risk for any application utilizing this library.

Remediation

Immediate Action: Update to the latest version of alexusmai laravel-file-manager as specified by the vendor advisory.

Proactive Monitoring: Review web server logs for suspicious file upload activity and monitor for the creation of unexpected files in sensitive system directories.

Compensating Controls: Implement strict filesystem permissions and utilize a WAF to restrict file upload types and paths.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Security teams must prioritize updating the laravel-file-manager library to remediate the directory traversal flaw. Failure to address this could result in full server takeover; therefore, immediate patching is recommended to mitigate the risk of malicious file injection.