CVE-2025-27515
Published: 05 March 2025
Summary
CVE-2025-27515 is a critical-severity Improper Neutralization of Wildcards or Matching Symbols (CWE-155) vulnerability in Laravel Framework. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in Laravel's wildcard file validation by upgrading to patched versions 11.44.1 or 12.1.1 directly prevents exploitation of CVE-2025-27515.
Implementing robust information input validation at file and image upload points prevents malicious requests from bypassing Laravel's wildcard validation rules.
Enforcing restrictions on input such as file types, sizes, and quantities limits the feasibility of crafted requests exploiting the files.* validation bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated bypass of file upload validation in a public-facing Laravel web application, directly enabling T1190 (Exploit Public-Facing Application) with potential for arbitrary code execution or other impacts.
NVD Description
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Deeper analysisAI
CVE-2025-27515 is a high-severity vulnerability in Laravel, a popular PHP web application framework. It affects applications using wildcard validation rules for file or image fields, such as `files.*`. A user-crafted malicious request can bypass these validation rules, enabling unauthorized handling of invalid or malicious uploads. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-155. It was published on 2025-03-05 and resolved in Laravel versions 11.44.1 and 12.1.1.
Unauthenticated attackers with network access can exploit this vulnerability by submitting specially crafted requests to endpoints performing wildcard file validation. Successful exploitation allows bypassing intended security checks on uploaded files or images, potentially leading to severe impacts including high confidentiality, integrity, and availability compromises, such as executing arbitrary code, data exfiltration, or server disruption depending on the application's configuration.
The official Laravel security advisory (GHSA-78fx-h6xr-vch4) and the fixing commit (2d133034fefddfb047838f4caca3687a3ba811a5) recommend upgrading to Laravel 11.44.1 or 12.1.1 to mitigate the issue. No additional workarounds are specified in the provided references.
Details
- CWE(s)