A critical arbitrary file upload vulnerability in the laravel-mediable package allows unauthenticated attackers to upload and execute malicious PHP code on the server.

The package can be configured to trust client-supplied MIME types. An unauthenticated attacker can upload a file containing PHP code while spoofing a benign MIME type (e.g., image/jpeg). If the file is stored in a web-accessible directory, the attacker can execute it to gain remote code execution.

A successful exploit results in full server compromise. Given the CVSS score of 9.8, the business risk includes data breaches, website defacement, and the use of the server as a pivot point for internal network attacks. The lack of a patch at the time of publication increases the urgency for manual mitigation.

Immediate Action: Disable any configuration that accepts client-supplied MIME types. Implement server-side MIME type detection based on file content (magic bytes) rather than headers.

Proactive Monitoring: Audit all uploaded files in the media storage directories for PHP tags or executable extensions. Review access logs for direct execution of uploaded files.

Compensating Controls: Configure the web server (Nginx/Apache) to prevent the execution of scripts in upload directories and move uploaded files to a non-web-accessible location or a dedicated storage service like AWS S3.

Public Exploit Available: false

Because no official patch exists, administrators must manually harden their Laravel applications. It is critical to ensure that the web server is configured to never execute PHP in the directories where laravel-mediable stores files.