Miggo Logo
Miggo Vulnerability Database
GHSA-3wgq-h4fr-cwg5

GHSA-3wgq-h4fr-cwg5:
laravel-crud-wizard-free has File Validation Bypass

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-3wgq-h4fr-cwg5
EPSS Score
-
CWE
CWE-155
Published
3/12/2025
Updated
3/12/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
macropay-solutions/laravel-crud-wizard-freecomposer< 3.4.173.4.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper wildcard handling in Laravel's validation component (illuminate/validation). While the laravel-crud-wizard-free package itself didn't contain vulnerable code, it became vulnerable by depending on unpatched Laravel versions (<11.44.1). The key vulnerable functions are in Laravel's Validator class: parseData() (improper array key sanitization) and replaceDotInParameters() (flawed wildcard normalization). The package's fix involved implementing a custom ValidationServiceProvider to override these methods with proper placeholder handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t M**ium ### P*t***s V*rsion *.*.** *ix*s illumin*t*/v*li**tion v *.*.* to **.**.* ### Work*roun*s R**ist*r \M**rop*ySolutions\L*r*v*l*ru*Wiz*r*\Provi**rs\V*li**tionS*rvi**Provi**r inst*** o* Illumin*t*\V*li**tion\V*li**tionS*rvi**Provi**r

Reasoning

T** vuln*r**ility st*ms *rom improp*r wil***r* **n*lin* in L*r*v*l's v*li**tion *ompon*nt (`illumin*t*/v*li**tion`). W*il* t** l*r*v*l-*ru*-wiz*r*-*r** p**k*** its*l* *i*n't *ont*in vuln*r**l* *o**, it ****m* vuln*r**l* *y **p*n*in* on unp*t**** L*r*