CVE-2025-54082
Published: 21 July 2025
Summary
CVE-2025-54082 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2025-54082 affects the marshmallow-packages/nova-tiptap package, a rich text editor for Laravel Nova based on tiptap. Prior to version 5.7.0, the package exposed a file upload endpoint at /nova-tiptap/api/file that lacked the Nova and Nova.Auth authentication middleware, performed no MIME type or extension validation on uploaded content, and permitted an attacker-supplied disk parameter. This combination enables unauthenticated uploads of arbitrary files, including executables, to any storage disk configured in the Laravel application such as local, public, or S3.
An unauthenticated attacker can exploit the flaw by crafting a POST request that includes a valid CSRF token and targets a publicly accessible disk. Successful exploitation allows the attacker to place malicious files such as .php scripts or binaries in a web-accessible location, which can result in remote code execution or distribution of malware depending on the storage configuration and web server settings.
The issue was addressed in release 5.7.0, as documented in the project security advisory GHSA-96c2-h667-9fxp and the associated commit that restores the missing middleware and adds file validation controls. The EPSS score remains low and unchanged at 0.0241 with no indicated rise in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22109
Vulnerability details
marshmallow-packages/nova-tiptap is a rich text editor for Laravel Nova based on tiptap. Prior to 5.7.0, a vulnerability was discovered in the marshmallow-packages/nova-tiptap Laravel Nova package that allows unauthenticated users to upload arbitrary files to any Laravel disk configured in the…
more
application. The vulnerability is due to missing authentication middleware (Nova and Nova.Auth) on the /nova-tiptap/api/file upload endpoint, the lack of validation on uploaded files (no MIME/type or extension restrictions), and the ability for an attacker to choose the disk parameter dynamically. This means an attacker can craft a custom form and send a POST request to /nova-tiptap/api/file, supplying a valid CSRF token, and upload executable or malicious files (e.g., .php, binaries) to public disks such as local, public, or s3. If a publicly accessible storage path is used (e.g. S3 with public access, or Laravel’s public disk), the attacker may gain the ability to execute or distribute arbitrary files — amounting to a potential Remote Code Execution (RCE) vector in some environments. This vulnerability was fixed in 5.7.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.