CVE-2019-25673
Published: 05 April 2026
Summary
CVE-2019-25673 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25673 is an arbitrary file upload vulnerability affecting UniSharp Laravel File Manager versions v2.0.0-alpha7 and v2.0. The flaw allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint, specifically PHP files with the type parameter set to Files. Once uploaded, attackers can execute arbitrary code by accessing the file through the working directory path. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
The attack requires low-privilege authenticated access (PR:L) over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploiting it enables remote code execution, granting high-impact confidentiality, integrity, and availability compromises (C:H/I:H/A:H) on the affected system.
Mitigation details are available in referenced advisories, including the GitHub repository at https://github.com/UniSharp/laravel-filemanager, issue tracker at https://github.com/UniSharp/laravel-filemanager/issues/356, an Exploit-DB entry at https://www.exploit-db.com/exploits/46389, and a Vulncheck advisory at https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-20081
Vulnerability details
UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set…
more
to Files and execute arbitrary code by accessing the uploaded file through the working directory path.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary PHP file upload directly enables web shell deployment (T1100) on a public-facing Laravel app, with initial access via exploitation of the vulnerable upload endpoint (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of uploaded files to reject dangerous types like PHP, preventing arbitrary file upload and subsequent code execution.
Requires timely identification, reporting, and patching of flaws like CVE-2019-25673 in vulnerable components such as UniSharp Laravel File Manager.
Deploys malicious code protection at upload endpoints to scan and block PHP shells or other executable malicious files before storage and execution.