CVE-2025-22145 - Vulnerability Details

Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00112.

Exploitation none

Automatable no

Technical Impact partial

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-4068-1	php-nesbot-carbon security update
EUVD	EUVD-2025-0030	Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Github GHSA	GHSA-j3f9-p6hm-5w6q	Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q
https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58
https://lists.debian.org/debian-lts-announce/2025/02/msg00032.html

History

Tue, 25 Feb 2025 13:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/02/msg00032.html

Wed, 12 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Jan 2025 20:45:00 +0000

Type	Values Removed	Values Added
Description		Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Title		Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale
Weaknesses		CWE-98
References		https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-01-08T20:40:37.545Z

Updated: 2025-02-25T13:07:45.559Z

Reserved: 2024-12-30T03:00:33.654Z

Link: CVE-2025-22145

Vulnrichment

Updated: 2025-02-25T13:07:45.559Z

NVD

Status : Awaiting Analysis

Published: 2025-01-08T21:15:13.480

Modified: 2025-02-25T13:15:10.927

Link: CVE-2025-22145

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object