Overview
A critical directory traversal vulnerability, identified as CVE-2025-65346, has been discovered in alexusmai’s laravel-file-manager version 3.3.1 and below. This vulnerability allows attackers to write arbitrary files to the server’s filesystem, potentially leading to remote code execution or data compromise. It stems from improper validation of extraction paths during the unzip/extraction process.
Technical Details
The vulnerability resides in the component responsible for handling archive extraction. Specifically, the application fails to adequately sanitize or validate the paths specified within the archive. An attacker can craft a malicious archive containing files with specially crafted paths (e.g., “../../../../../etc/passwd”). When laravel-file-manager extracts this archive, it will inadvertently write the archive’s contents to the attacker-specified locations, overwriting existing files or creating new ones outside of the intended upload directory. This is possible due to the insufficient validation of the file name prior to writing to disk.
CVSS Analysis
Because the CVSS score is unavailable, the severity cannot be determined. However, directory traversal vulnerabilities can allow an attacker to overwrite crucial system files or introduce malicious executables. The missing CVSS score does not negate the severity of this vulnerability, and admins should take the appropriate action steps listed below.
Possible Impact
The potential impact of this vulnerability is severe. An attacker could:
- Overwrite critical system files, leading to denial of service.
- Upload malicious code (e.g., a PHP backdoor) to the server, enabling remote code execution.
- Access sensitive information stored on the server by overwriting configuration files or reading sensitive files via uploaded malicious code.
- Compromise the entire server and its data.
Mitigation or Patch Steps
Immediate action is required to mitigate this vulnerability. Follow these steps:
- Upgrade Laravel File Manager: The most effective solution is to upgrade to a patched version of laravel-file-manager, if one is available. Check the official repository for updates.
- Sanitize Input: If an upgrade is not immediately possible, implement robust input validation and sanitization for all archive extraction processes. Specifically, rigorously validate that extracted file paths remain within the intended upload directory.
- Disable Archive Extraction: If archive extraction is not a critical feature, consider temporarily disabling it until a patch is available.
- Web Application Firewall (WAF): Implement or update your WAF rules to detect and block directory traversal attempts.
- Monitor for Suspicious Activity: Closely monitor your server logs for any suspicious file uploads, modifications, or access attempts.
References
- CVE ID: CVE-2025-65346
- Proof of Concept: https://github.com/Theethat-Thamwasin/CVE-2025-65346
- Laravel File Manager Repository: https://github.com/alexusmai/laravel-file-manager
