Cyber Resilience

CVE-2025-54082

High

Published: 21 July 2025

Published
21 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0241 85.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54082 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2025-54082 affects the marshmallow-packages/nova-tiptap package, a rich text editor for Laravel Nova based on tiptap. Prior to version 5.7.0, the package exposed a file upload endpoint at /nova-tiptap/api/file that lacked the Nova and Nova.Auth authentication middleware, performed no MIME type or extension validation on uploaded content, and permitted an attacker-supplied disk parameter. This combination enables unauthenticated uploads of arbitrary files, including executables, to any storage disk configured in the Laravel application such as local, public, or S3.

An unauthenticated attacker can exploit the flaw by crafting a POST request that includes a valid CSRF token and targets a publicly accessible disk. Successful exploitation allows the attacker to place malicious files such as .php scripts or binaries in a web-accessible location, which can result in remote code execution or distribution of malware depending on the storage configuration and web server settings.

The issue was addressed in release 5.7.0, as documented in the project security advisory GHSA-96c2-h667-9fxp and the associated commit that restores the missing middleware and adds file validation controls. The EPSS score remains low and unchanged at 0.0241 with no indicated rise in exploitation interest after disclosure.

EU & UK References

Vulnerability details

marshmallow-packages/nova-tiptap is a rich text editor for Laravel Nova based on tiptap. Prior to 5.7.0, a vulnerability was discovered in the marshmallow-packages/nova-tiptap Laravel Nova package that allows unauthenticated users to upload arbitrary files to any Laravel disk configured in the…

more

application. The vulnerability is due to missing authentication middleware (Nova and Nova.Auth) on the /nova-tiptap/api/file upload endpoint, the lack of validation on uploaded files (no MIME/type or extension restrictions), and the ability for an attacker to choose the disk parameter dynamically. This means an attacker can craft a custom form and send a POST request to /nova-tiptap/api/file, supplying a valid CSRF token, and upload executable or malicious files (e.g., .php, binaries) to public disks such as local, public, or s3. If a publicly accessible storage path is used (e.g. S3 with public access, or Laravel’s public disk), the attacker may gain the ability to execute or distribute arbitrary files — amounting to a potential Remote Code Execution (RCE) vector in some environments. This vulnerability was fixed in 5.7.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References