Laravel wildcard validation bypass files.* before v11.44.1/v12.1.1
CVE-2025-27515 Published on March 5, 2025
Laravel has a File Validation Bypass
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Weakness Type
Improper Neutralization of Wildcards or Matching Symbols
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component. As data is parsed, an injected element may cause the process to take unexpected actions.
Products Associated with CVE-2025-27515
Want to know whenever a new CVE is published for Laravel? stack.watch will email you.
Affected Versions
laravel framework:- Version >= 12.0.0, < 12.1.1 is affected.
- Version < 11.44.1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-27515
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | laravel/framework | >= 12.0.0, < 12.1.1 | 12.1.1 |
| composer | laravel/framework | < 11.44.1 | 11.44.1 |
| composer | macropay-solutions/laravel-crud-wizard-free | < 3.4.17 | 3.4.17 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.