[pkg-php-pear] Bug#1103881: php-laravel-framework: CVE-2025-27515
Moritz Mühlenhoff
jmm at inutil.org
Tue Apr 22 13:09:36 BST 2025
Source: php-laravel-framework
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for php-laravel-framework.
CVE-2025-27515[0]:
| Laravel is a web application framework. When using wildcard
| validation to validate a given file or image field (`files.*`), a
| user-crafted malicious request could potentially bypass the
| validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4
https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5 (v12.1.1)
There are also two other security issues affecting sid/trixie and
which are already fixed in experimental:
https://security-tracker.debian.org/tracker/CVE-2024-13918
https://security-tracker.debian.org/tracker/CVE-2024-13919
So possibly trixie should be moved to 11.44.1 unless it's a very
breaking change between 10 and 11?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27515
https://www.cve.org/CVERecord?id=CVE-2025-27515
Please adjust the affected versions in the BTS as needed.
More information about the pkg-php-pear
mailing list