CVE-2025-27515
Published: 05 March 2025
Summary
CVE-2025-27515 is a medium-severity Improper Neutralization of Wildcards or Matching Symbols (CWE-155) vulnerability in Laravel Framework. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-27515 is a high-severity vulnerability in Laravel, a popular PHP web application framework. It affects applications using wildcard validation rules for file or image fields, such as `files.*`. A user-crafted malicious request can bypass these validation rules, enabling unauthorized handling of invalid or malicious uploads. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-155. It was published on 2025-03-05 and resolved in Laravel versions 11.44.1 and 12.1.1.
Unauthenticated attackers with network access can exploit this vulnerability by submitting specially crafted requests to endpoints performing wildcard file validation. Successful exploitation allows bypassing intended security checks on uploaded files or images, potentially leading to severe impacts including high confidentiality, integrity, and availability compromises, such as executing arbitrary code, data exfiltration, or server disruption depending on the application's configuration.
The official Laravel security advisory (GHSA-78fx-h6xr-vch4) and the fixing commit (2d133034fefddfb047838f4caca3687a3ba811a5) recommend upgrading to Laravel 11.44.1 or 12.1.1 to mitigate the issue. No additional workarounds are specified in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6153
Vulnerability details
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated bypass of file upload validation in a public-facing Laravel web application, directly enabling T1190 (Exploit Public-Facing Application) with potential for arbitrary code execution or other impacts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific flaw in Laravel's wildcard file validation by upgrading to patched versions 11.44.1 or 12.1.1 directly prevents exploitation of CVE-2025-27515.
Implementing robust information input validation at file and image upload points prevents malicious requests from bypassing Laravel's wildcard validation rules.
Enforcing restrictions on input such as file types, sizes, and quantities limits the feasibility of crafted requests exploiting the files.* validation bypass.