laravel/framework-v10.35.0: 7 vulnerabilities (highest severity is: 9.8) #1
Description
Vulnerable Library - laravel/framework-v10.35.0
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/91ec2d92d2f6007e9084fe06438b99c91845da69
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (laravel/framework-v10.35.0 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-27515 |  Critical |
9.8 | laravel/framework-v10.35.0 | Direct | v12.1.1,v11.44.1 | ❌ |
| CVE-2025-64500 |  High |
7.3 | symfony/http-foundation-v6.4.0 | Transitive | N/A* | ❌ |
| CVE-2025-22145 | High |
7.3 | nesbot/carbon-2.72.0 | Transitive | N/A* | ❌ |
| CVE-2025-46734 |  Medium |
6.4 | league/commonmark-2.4.1 | Transitive | N/A* | ❌ |
| CVE-2024-50345 |  Low |
3.1 | symfony/http-foundation-v6.4.0 | Transitive | N/A* | ❌ |
| CVE-2024-52301 | Low |
0.0 | laravel/framework-v10.35.0 | Direct | laravel/framework-6.20.45,7.30.7,8.83.28,9.52.17,10.48.23,11.31.0 | ❌ |
| CVE-2024-51736 | Low |
0.0 | symfony/process-v6.4.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-27515
Vulnerable Library - laravel/framework-v10.35.0
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/91ec2d92d2f6007e9084fe06438b99c91845da69
Dependency Hierarchy:
- ❌ laravel/framework-v10.35.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Laravel is a web application framework. When using wildcard validation to validate a given file or image field ("files.*"), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Publish Date: 2025-03-05
URL: CVE-2025-27515
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-wppf-gqj5-fc4f
Release Date: 2025-03-05
Fix Resolution: v12.1.1,v11.44.1
CVE-2025-64500
Vulnerable Library - symfony/http-foundation-v6.4.0
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/44a6d39a9cc11e154547d882d5aac1e014440771
Dependency Hierarchy:
- laravel/framework-v10.35.0 (Root Library)
- ❌ symfony/http-foundation-v6.4.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the "Request" class improperly interprets some "PATH_INFO" in a way that leads to representing some URLs with a path that doesn't start with a "/". This can allow bypassing some access control rules that are built with this "/"-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the "Request" class now ensures that URL paths always start with a "/".
Publish Date: 2025-11-12
URL: CVE-2025-64500
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rg7-wf37-54rm
Release Date: 2025-11-12
Fix Resolution: symfony/symfony - v7.3.7,symfony/symfony - v5.4.50,symfony/http-foundation - v6.4.29,symfony/http-foundation - v5.4.50,symfony/http-foundation - v7.3.7,symfony/symfony - v6.4.29
CVE-2025-22145
Vulnerable Library - nesbot/carbon-2.72.0
An API extension for DateTime that supports 281 different languages.
Library home page: https://api.github.com/repos/briannesbitt/Carbon/zipball/a6885fcbad2ec4360b0e200ee0da7d9b7c90786b
Dependency Hierarchy:
- laravel/framework-v10.35.0 (Root Library)
- ❌ nesbot/carbon-2.72.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Publish Date: 2025-01-08
URL: CVE-2025-22145
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-j3f9-p6hm-5w6q
Release Date: 2025-01-08
Fix Resolution: 2.72.6,3.8.4
CVE-2025-46734
Vulnerable Library - league/commonmark-2.4.1
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/3669d6d5f7a47a93c08ddff335e6d945481a1dd5
Dependency Hierarchy:
- laravel/framework-v10.35.0 (Root Library)
- ❌ league/commonmark-2.4.1 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as "html_input: 'strip'" and "allow_unsafe_links: false" to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with "on" are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added "href" and "src" attributes now respect the existing "allow_unsafe_links" configuration option. If upgrading is not feasible, please consider disabling the "AttributesExtension" for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.
Publish Date: 2025-05-05
URL: CVE-2025-46734
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-3527-qv2q-pfvx
Release Date: 2025-05-05
Fix Resolution: league/commonmark - 2.7.0
CVE-2024-50345
Vulnerable Library - symfony/http-foundation-v6.4.0
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/44a6d39a9cc11e154547d882d5aac1e014440771
Dependency Hierarchy:
- laravel/framework-v10.35.0 (Root Library)
- ❌ symfony/http-foundation-v6.4.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50345
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
CVE-2024-52301
Vulnerable Library - laravel/framework-v10.35.0
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/91ec2d92d2f6007e9084fe06438b99c91845da69
Dependency Hierarchy:
- ❌ laravel/framework-v10.35.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Publish Date: 2024-11-12
URL: CVE-2024-52301
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gv7v-rgg6-548h
Release Date: 2024-11-12
Fix Resolution: laravel/framework-6.20.45,7.30.7,8.83.28,9.52.17,10.48.23,11.31.0
CVE-2024-51736
Vulnerable Library - symfony/process-v6.4.0
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/191703b1566d97a5425dc969e4350d32b8ef17aa
Dependency Hierarchy:
- laravel/framework-v10.35.0 (Root Library)
- ❌ symfony/process-v6.4.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-51736
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None