CVE-2025-27515Improper Neutralization of Wildcards or Matching Symbols in Framework

CWE-155Improper Neutralization of Wildcards or Matching Symbols5 documents4 sources
Severity
6.9MEDIUMNVD
EPSS
0.3%
top 48.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Laravel FrameworkDebian Php-laravel-framework
Timeline
PublishedMar 5

Description

Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

NVDlaravel/framework12.0.012.1.1+1
Packagistlaravel/framework12.0.012.1.1+2
debiandebian/php-laravel-framework< php-laravel-framework 10.48.29+dfsg-1 (forky)
CVEListV5laravel/framework>= 12.0.0, < 12.1.1

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2025-27515: Laravel is a web application framework2025-03-05
GHSA
Laravel has a File Validation Bypass2025-03-05
OSV
Laravel has a File Validation Bypass2025-03-05

📋Vendor Advisories

1
Debian
CVE-2025-27515: php-laravel-framework - Laravel is a web application framework. When using wildcard validation to valida...2025
CVE-2025-27515 — Laravel Framework vulnerability | cvebase