[pkg-php-pear] Bug#1092680: php-nesbot-carbon: CVE-2025-22145
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 10 16:57:44 GMT 2025
Source: php-nesbot-carbon
Version: 2.69.0-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for php-nesbot-carbon.
CVE-2025-22145[0]:
| Carbon is an international PHP extension for DateTime. Application
| passing unsanitized user input to Carbon::setLocale are at risk of
| arbitrary file include, if the application allows users to upload
| files with .php extension in an folder that allows include or
| require to read it, then they are at risk of arbitrary code ran on
| their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-22145
https://www.cve.org/CVERecord?id=CVE-2025-22145
[1] https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q
[2] https://github.com/briannesbitt/Carbon/commit/1e9d50601e7035a4c61441a208cb5bed73e108c5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-php-pear
mailing list