A big safety vulnerability has been found in Livewire Filemanager, a extensively used file administration element embedded in Laravel internet functions.
Tracked as CVE-2025-14894 and assigned vulnerability word VU#650657, the flaw permits unauthenticated attackers to execute arbitrary code on weak servers.
The vulnerability stems from improper file validation within the LivewireFilemanagerComponent.php element.
The instrument fails to implement satisfactory file kind and MIME validation, permitting attackers to add malicious PHP recordsdata immediately by means of the net interface.
CVE IDTracking IDPublication DateSeverityCVE-2025-14894VU#650657January 16, 2026High
As soon as uploaded, these recordsdata might be executed through the publicly accessible /storage/ listing, offered the php artisan storage: hyperlink command has been executed throughout the usual Laravel setup course of.
The seller intentionally marks file-type validation as out of scope of their safety documentation, inserting the duty for validation on builders.
Nevertheless, the essential problem lies within the instrument’s structure, which immediately exposes uploaded recordsdata to execution with out extra safeguards.
Profitable exploitation grants attackers distant code execution (RCE) with the privileges of the net server person.
This allows complete system compromise, together with unrestricted file learn and write entry to all recordsdata accessible by the net server course of. Attackers can then pivot to compromise related programs and infrastructure.
The assault requires no authentication and might be executed remotely by merely importing a PHP webshell to the applying by means of Livewire Filemanager’s add interface, then triggering execution by accessing the file through the storage URL.
Affected Platforms and Standing
On the time of disclosure, distributors haven’t acknowledged the vulnerability.
EntityStatusBee InteractiveUnknownLaravelUnknownLaravel SwissUnknown
CERT/CC recommends instant protecting measures, together with verifying whether or not php artisan storage: hyperlink has been executed and, if confirmed, eradicating internet serving functionality.
Organizations utilizing Livewire Filemanager ought to instantly implement file add restrictions on the utility degree, unbiased of Livewire’s performance.
Take into account implementing strict allowlist insurance policies that restrict uploads to protected file varieties and apply complete MIME kind validation.
Storing uploaded recordsdata exterior the web-accessible listing. Flip off the general public storage hyperlink if internet serving is pointless for operations.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
