CVE-2025-22145: Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale

January 8, 2025

Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers.

References

github.com/CarbonPHP/carbon
github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q
github.com/advisories/GHSA-j3f9-p6hm-5w6q
github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58
nvd.nist.gov/vuln/detail/CVE-2025-22145

Detect and mitigate CVE-2025-22145 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →