laravel/framework-v9.0.2: 5 vulnerabilities (highest severity is: 7.3)

[mend-for-github-com]

Vulnerable Library - laravel/framework-v9.0.2

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/4c7cd8c4e95d161c0c6ada6efa0a5af4d0d487c9

Found in HEAD commit: eacf610ccf2ab7b29fd597b3c27c6b7f319f738e

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (laravel/framework-v9.0.2 version)	Remediation Possible**
CVE-2025-22145	High	7.3	nesbot/carbon-2.56.0	Transitive	N/A*	❌
CVE-2025-27515	Medium	6.5	laravel/framework-v9.0.2	Direct	v12.1.1	❌
CVE-2025-46734	Medium	6.4	league/commonmark-2.2.1	Transitive	N/A*	❌
CVE-2024-50345	Low	3.1	symfony/http-foundation-v6.0.3	Transitive	N/A*	❌
CVE-2024-52301	Low	0.0	laravel/framework-v9.0.2	Direct	laravel/framework-6.20.45,7.30.7,8.83.28,9.52.17,10.48.23,11.31.0	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-22145

Vulnerable Library - nesbot/carbon-2.56.0

An API extension for DateTime that supports 281 different languages.

Library home page: https://api.github.com/repos/CarbonPHP/carbon/zipball/626ec8cbb724cd3c3400c3ed8f730545b744e3f4

Dependency Hierarchy:

• laravel/framework-v9.0.2 (Root Library)
  • ❌ nesbot/carbon-2.56.0 (Vulnerable Library)

Found in HEAD commit: eacf610ccf2ab7b29fd597b3c27c6b7f319f738e

Found in base branch: main

Vulnerability Details

Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.

Publish Date: 2025-01-08

URL: CVE-2025-22145

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j3f9-p6hm-5w6q

Release Date: 2025-01-08

Fix Resolution: 2.72.6,3.8.4

CVE-2025-27515

Vulnerable Library - laravel/framework-v9.0.2

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/4c7cd8c4e95d161c0c6ada6efa0a5af4d0d487c9

Dependency Hierarchy:

• ❌ laravel/framework-v9.0.2 (Vulnerable Library)

Found in HEAD commit: eacf610ccf2ab7b29fd597b3c27c6b7f319f738e

Found in base branch: main

Vulnerability Details

Laravel is a web application framework. When using wildcard validation to validate a given file or image field ("files.*"), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.

Publish Date: 2025-03-05

URL: CVE-2025-27515

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wppf-gqj5-fc4f

Release Date: 2025-03-05

Fix Resolution: v12.1.1

CVE-2025-46734

Vulnerable Library - league/commonmark-2.2.1

Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)

Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/f8afb78f087777b040e0ab8a6b6ca93f6fc3f18a

Dependency Hierarchy:

• laravel/framework-v9.0.2 (Root Library)
  • ❌ league/commonmark-2.2.1 (Vulnerable Library)

Found in HEAD commit: eacf610ccf2ab7b29fd597b3c27c6b7f319f738e

Found in base branch: main

Vulnerability Details

league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as "html_input: 'strip'" and "allow_unsafe_links: false" to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with "on" are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added "href" and "src" attributes now respect the existing "allow_unsafe_links" configuration option. If upgrading is not feasible, please consider disabling the "AttributesExtension" for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.

Publish Date: 2025-05-05

URL: CVE-2025-46734

CVSS 3 Score Details (6.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3527-qv2q-pfvx

Release Date: 2025-05-05

Fix Resolution: league/commonmark - 2.7.0

CVE-2024-50345

Vulnerable Library - symfony/http-foundation-v6.0.3

Defines an object-oriented layer for the HTTP specification

Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/ad157299ced81a637fade1efcadd688d6deba5c1

Dependency Hierarchy:

• laravel/framework-v9.0.2 (Root Library)
  • ❌ symfony/http-foundation-v6.0.3 (Vulnerable Library)

Found in HEAD commit: eacf610ccf2ab7b29fd597b3c27c6b7f319f738e

Found in base branch: main

Vulnerability Details

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-11-06

URL: CVE-2024-50345

CVSS 3 Score Details (3.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mrqx-rp3w-jpjp

Release Date: 2024-11-06

Fix Resolution: symfony/http-foundation - v5.4.46,v6.4.14,v7.1.7

CVE-2024-52301

Vulnerable Library - laravel/framework-v9.0.2

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/4c7cd8c4e95d161c0c6ada6efa0a5af4d0d487c9

Dependency Hierarchy:

• ❌ laravel/framework-v9.0.2 (Vulnerable Library)

Found in HEAD commit: eacf610ccf2ab7b29fd597b3c27c6b7f319f738e

Found in base branch: main

Vulnerability Details

Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

Publish Date: 2024-11-12

URL: CVE-2024-52301

CVSS 3 Score Details (0.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gv7v-rgg6-548h

Release Date: 2024-11-12

Fix Resolution: laravel/framework-6.20.45,7.30.7,8.83.28,9.52.17,10.48.23,11.31.0

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.