CVE-2025-22145 – nesbot/carbon

Package

Manager: composer
Name: nesbot/carbon
Vulnerable Version: >=3.0.0 <3.8.4 || >=0 <2.72.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00065 pctl0.20386

Details

Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale ### Impact Application passing unsanitized user input to `Carbon::setLocale` are at risk of arbitrary file include, if the application allows users to upload files with `.php` extension in an folder that allows `include` or `require` to read it, then they are at risk of arbitrary code ran on their servers. ### Patches - [3.8.4](https://github.com/briannesbitt/Carbon/releases/tag/3.8.4) - [2.72.6](https://github.com/briannesbitt/Carbon/releases/tag/2.72.6) ### Workarounds Any of the below actions can be taken to prevent the issue: - Validate input before calling `setLocale()`, for instance by forbidding or removing `/` and `\` - Call `setLocale()` only with a locale from a whitelist of supported locales - When uploading files, rename them so they cannot have a `.php` extension (this is recommended even if you're not affected by this issue) - Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually live outside of the application basedir) ### References https://en.wikipedia.org/wiki/File_inclusion_vulnerability ### Credits Thanks to **Szczepan Hołyszewski** who reported the issue and to Tidelift to coordinate the resolution

Metadata

Created: 2025-01-08T21:03:28Z
Modified: 2025-02-25T18:39:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-j3f9-p6hm-5w6q/GHSA-j3f9-p6hm-5w6q.json
CWE IDs: ["CWE-98"]
Alternative ID: GHSA-j3f9-p6hm-5w6q
Finding: F123
Auto approve: 1