CVE-2025-22145

NameCVE-2025-22145
DescriptionCarbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1092680

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-nesbot-carbon (PTS)bullseye2.32.2-1vulnerable
bookworm2.65.0-1vulnerable
sid2.72.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-nesbot-carbonsource(unstable)2.72.6-11092680

Notes

https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q
https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58 (3.8.4)
https://github.com/briannesbitt/Carbon/commit/1e9d50601e7035a4c61441a208cb5bed73e108c5 (2.72.6)
Search for package or bug name: Reporting problems