CVE-2025-14894
Published: 16 January 2026
Summary
CVE-2025-14894 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Livewire-Filemanager Filemanager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates file type and MIME validation on uploads to block malicious PHP files as missing in LivewireFilemanagerComponent.php.
Restricts publicly accessible content to prevent execution of uploaded malicious files via the exposed /storage/ URL in typical Laravel setups.
Restricts dangerous information inputs like unrestricted file uploads to only safe types, mitigating CWE-434 unrestricted upload of dangerous files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) in a public-facing Laravel component directly enables remote code execution via web shell deployment.
NVD Description
Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly…
more
performed setup process within Laravel applications has been completed.
Deeper analysisAI
CVE-2025-14894 is a critical vulnerability in the Livewire Filemanager, a component commonly integrated into Laravel applications. Specifically, the LivewireFilemanagerComponent.php file lacks proper file type and MIME type validation, enabling attackers to upload malicious PHP files. These files can then be executed remotely via the /storage/ URL if the application has undergone a typical Laravel storage setup process, such as linking the storage directory to be publicly accessible. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type), with publication on January 16, 2026.
The attack scenario targets unauthenticated remote attackers with network access, requiring low complexity and no privileges or user interaction. An exploiter can upload a crafted PHP file through the filemanager component, bypassing validation, and subsequently trigger execution by accessing the file via the exposed /storage/ endpoint. Successful exploitation results in remote code execution (RCE), granting high confidentiality, integrity, and availability impacts, potentially allowing full server compromise.
For mitigation details, security practitioners should review the official advisories and resources, including the Livewire Filemanager GitHub repository at https://github.com/livewire-filemanager/filemanager, a technical analysis of the unauthenticated RCE at https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager, and the CERT vulnerability note at https://www.kb.cert.org/vuls/id/650657.
Details
- CWE(s)