CVE-2025-27515
published 2025-03-05CVE-2025-27515: Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request…
PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.69%
48.0th percentile
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-laravel-framework | < php-laravel-framework 10.48.29+dfsg-1 (forky) | php-laravel-framework 10.48.29+dfsg-1 (forky) |
| laravel | framework | < 11.44.1 | 11.44.1 |
| laravel | framework | — | — |
| laravel | framework | >= 0 < 10.48.29 | 10.48.29 |
| laravel | framework | >= 11.0.0 < 11.44.1 | 11.44.1 |
| laravel | framework | >= 12.0.0 < 12.1.1 | 12.1.1 |
| laravel | framework | >= 12.0.0 < 12.1.1 | 12.1.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_debian6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2025-27515: php-laravel-framework - Laravel is a web application framework. When using wildcard validation to valida...
vendor_debian·2025·CVSS 6.9
CVE-2025-27515 [MEDIUM] CVE-2025-27515: php-laravel-framework - Laravel is a web application framework. When using wildcard validation to valida...
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 10.48.29+dfsg-1)
sid: resolved (fixed in 10.48.29+dfsg-1)
trixie: resolved (fixed in 10.48.29+dfsg-1)
OSV
CVE-2025-27515: Laravel is a web application framework
osv·2025-03-05·CVSS 6.9
CVE-2025-27515 [MEDIUM] CVE-2025-27515: Laravel is a web application framework
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
GHSA
Laravel has a File Validation Bypass
ghsa·2025-03-05
CVE-2025-27515 [MEDIUM] CWE-155 Laravel has a File Validation Bypass
Laravel has a File Validation Bypass
When using wildcard validation to validate a given file or image field array (`files.*`), a user-crafted malicious request could potentially bypass the validation rules.
OSV
Laravel has a File Validation Bypass
osv·2025-03-05
CVE-2025-27515 [MEDIUM] Laravel has a File Validation Bypass
Laravel has a File Validation Bypass
When using wildcard validation to validate a given file or image field array (`files.*`), a user-crafted malicious request could potentially bypass the validation rules.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-05
Published