CVE-2025-27515

NameCVE-2025-27515
DescriptionLaravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-laravel-framework (PTS)bullseye6.20.14+dfsg-2+deb11u1vulnerable
bullseye (security)6.20.14+dfsg-2+deb11u2vulnerable
bookworm8.83.26+dfsg-2vulnerable
sid, trixie10.48.25+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-laravel-frameworksource(unstable)(unfixed)

Notes

https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4
https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5 (v12.1.1)
Search for package or bug name: Reporting problems