6.9

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27515

GHSA ID

GHSA-78fx-h6xr-vch4

EPSS Score

0.04993%

CWE

CWE-155

Published

3/5/2025

Updated

3/12/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27515

CVE-2025-27515: Laravel has a File Validation Bypass

When using wildcard validation to validate a given file or image field array (files.*), a user-crafted malicious request could potentially bypass the validation rules.

(GitHub Advisory)

6.9

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27515

GHSA ID

GHSA-78fx-h6xr-vch4

EPSS Score

0.04993%

CWE

CWE-155

Published

3/5/2025

Updated

3/12/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
laravel/framework	composer	>= 12.0.0, < 12.1.1	12.1.1
laravel/framework	composer	>= 11.0.0, < 11.44.1	11.44.1
laravel/framework	composer	< 10.48.29	10.48.29

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from how array keys were processed during validation. The commit shows critical changes to:

Replace instance-based dotPlaceholder with static placeholderHash to prevent cross-validator conflicts
Modify attribute handling in validateUsingCustomRule to preserve original attributes for specific rules
Add tests verifying validation bypass using keys like '0', '.', '*' and 'asterisk'

The validateUsingCustomRule was vulnerable because it didn't properly restore original attribute names when handling File/Password rules, allowing attackers to bypass validation by using array keys that matched the validator's placeholder patterns. parseData's placeholder strategy was insufficient as it didn't account for multiple validator instances sharing static placeholders.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n usin* wil***r* v*li**tion to v*li**t* * *iv*n *il* or im*** *i*l* *rr*y (`*il*s.*`), * us*r-*r**t** m*li*ious r*qu*st *oul* pot*nti*lly *yp*ss t** v*li**tion rul*s.

Reasoning

T** *or* vuln*r**ility st*ms *rom *ow *rr*y k*ys w*r* pro**ss** *urin* v*li**tion. T** *ommit s*ows *riti**l ***n**s to: *. R*pl*** inst*n**-**s** *otPl****ol**r wit* st*ti* pl****ol**r**s* to pr*v*nt *ross-v*li**tor *on*li*ts *. Mo*i*y *ttri*ut* **n

6.9

Basic Information

Concerned about an active attack path?

CVE-2025-27515: Laravel has a File Validation Bypass

6.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI