N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65346

CVE-2025-65346: alexusmai laravel-file-manager is vulnerable to Directory Traversal via the unzip/extraction functionality

alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The unzip/extraction functionality improperly allows archive contents to be written to arbitrary locations on the filesystem due to insufficient validation of extraction paths.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65346

CVE-2025-65346:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
alexusmai/laravel-file-manager	composer	<= 3.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists within the unzip functionality of the alexusmai/laravel-file-manager package, specifically in the src/Services/Zip.php file. The analysis of this file reveals that the extractArchive method is responsible for extracting zip files. This method uses PHP's built-in ZipArchive::extractTo function to unpack the archive. However, it fails to sanitize the filenames contained within the zip file before extraction. This allows an attacker to craft a malicious zip archive containing path traversal sequences (e.g., ../../evil.php). When the application processes this archive, the extractTo function will write the malicious file to a location outside of the intended extraction directory, based on the traversal path. This can lead to arbitrary file writes and potentially remote code execution if a web-accessible directory is targeted. The extract method is the public-facing function in the Zip service that calls the vulnerable extractArchive method, making it a critical part of the call stack during exploitation.

Vulnerable functions

Alexusmai\LaravelFileManager\Services\Zip::extractArchive

src/Services/Zip.php

The 'extractArchive' function is vulnerable to directory traversal. It uses 'ZipArchive::extractTo' to extract an archive's contents without validating or sanitizing the file paths within the archive. An attacker can create a zip file with filenames containing '..' sequences to write files to arbitrary locations on the filesystem, potentially leading to remote code execution.

Alexusmai\LaravelFileManager\Services\Zip::extract

src/Services/Zip.php

This function serves as the entry point for the unzip operation within the 'Zip' service. It directly calls the vulnerable 'extractArchive' method, making it a key part of the exploitation chain. A runtime profiler would show this function in the stack trace when the vulnerability is triggered.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65346: alexusmai laravel-file-manager is vulnerable to Directory Traversal via the unzip/extraction functionality

CVE-2025-65346:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

CVE-2025-65346: alexusmai laravel-file-manager is vulnerable to Directory Traversal via the unzip/extraction functionality

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI