CVE-2025-22145 MEDIUM

CVE-2025-22145: Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale

Vendor Carbonphp

Product carbon

Weakness CWE-98 · PHP file inclusion

Published January 8, 2025

Last update February 25, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.

Key dates

02Disclosure timeline

January 8, 2025 CVE published

February 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-22145

Related vulnerabilities

Identifiers

CVE CVE-2025-22145

CWE CWE-98

CVSS 6.3 / MEDIUM

Affected versions

Vendor Carbonphp

Product carbon

Affected < 2.72.6

Vendor Carbonphp

Product carbon

Affected >= 3.0.0, < 3.8.4

CVE-2025-22145: Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale

01Description

02Disclosure timeline

03References

04Related CVE