Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2025-56399 PoC — Laravel File Manager 安全漏洞

Source
https://github.com/Theethat-Thamwasin/CVE-2025-56399
Associated Vulnerability
Title:Laravel File Manager 安全漏洞 (CVE-2025-56399)
Description:alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code.
Description
An authenticated Remote Code Execution (RCE) vulnerability in laravel-file-manager v3.3.1 and below allows attackers with access to the file manager interface to execute arbitrary code on the server.
Readme
# CVE-2025-56399 – Authenticated Remote Code Execution in `laravel-file-manager` v3.3.1

## 🧭 Overview
An authenticated Remote Code Execution (RCE) vulnerability in laravel-file-manager v3.3.1 and below allows attackers with access to the file manager interface to execute arbitrary code on the server. By uploading a file with a permitted non-PHP extension (e.g., .png, .pdf) containing malicious PHP code and renaming it to a .php extension, or by directly creating and editing a .php file, attackers can achieve RCE when the file is accessed via a public URL.

## 🧱 Affected Component
- **Project:** `laravel-file-manager`  
- **Component:** File upload / rename API  
- **Affected version:** **v3.3.1 and below**  


## 🎯 Attack Vectors
1. Authenticate with an account that has access to the file manager’s upload or create file functionality.
2. Upload a file (e.g., shell.png) containing malicious PHP code (e.g., <?php system($_GET['c']); ?>) via the file manager’s upload interface or API.
3. Use the rename API or interface to change the file extension from shell.png to shell.php.
4. Access the file at a public URL (e.g., https://server-ip-address/storage/shell.php?c=id) to execute the PHP payload.
5. Alternatively, use the "Create File" function to create a file (e.g., shell.php), then use the edit function to insert malicious PHP code and access it via a public URL.

## 💥 Impact
- Remote Code Execution (RCE): Attackers can execute arbitrary commands in the web server’s context.
- System Compromise: Depending on server configuration, this could lead to full compromise of the web application and host system.
- Critical Risk: High impact on confidentiality, integrity, and availability of the affected system.

## CVSS v3
### Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

#### Severity: High

## 🛡️ Recommended Remediation
- Implement server-side validation of file MIME types and magic bytes to ensure uploaded files match their extensions.
- Enforce a strict whitelist of allowed file extensions and reject executable extensions like .php.
- Restrict file renaming to prevent changing to executable extensions without additional validation.
- Disable script/PHP execution in upload directories.

> ## 🙏 Credits
> Discovered and reported by: **Chayawat Jeamprasertboon, Thanakorn Boontem, Theethat Thamwasin**

---
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →