A way to bypass authorization has been discovered in a popular file manager for the PHP framework.
A vulnerability that turns a file uploader into a remote code execution vulnerability was suddenly discovered in a popular Laravel tool. The vulnerability affects the Livewire file manager. The flaw allows an unauthorized attacker to upload a PHP file to the server and immediately activate it through a regular browser.
The vulnerability, identified as CVE-2025-14894 (CVSS score: 7.5), affects the LivewireFilemanagerComponent.php component. The problem is that the module is not of the latest type and the MIME of the uploaded files is not correct. Formally, the Livewire Filemanager developers initially expanded filtering for most users, but it is the combination of validation conditions and Laravel's description that makes the attack extremely simple.
Many Laravel projects use the "php artisan Storage:link" command, which creates a public link to the Storage/App/Public directory to serve uploaded files through the website. Under normal circumstances, this is convenient and safe, provided the uploader properly restricts forms. However, Livewire Filemanager allows you to upload any PHP file to the server. It then becomes accessible via a URL in the /storage section and can be executed as a script.
An attacker simply uploads a prepared file and accesses it through a browser, passing the user ID in the request. As a result, the code displays as the web user without any authentication. This allows full access to files, the ability to plant backdoors, and traverse the infrastructure.
According to CERT/CC, the implications are significant. The vulnerability enables remote code execution and complete control within a malicious web server. With this access, attackers can gain a foothold in the system, obtain sensitive data, or use the server as a point of attack for attacking neighboring nodes.
At this time, the Livewire Filemanager developers have not officially confirmed the vulnerability, and no patches have been submitted. Experts recommend that Laravel project administrators urgently check whether Livewire Filemanager is used in conjunction with public storage. If you've already created a symlink, it's best to temporarily disable web access to the directory containing the files uploaded by the command or disable FileManager entirely so that the fixes are visible.
A vulnerability that turns a file uploader into a remote code execution vulnerability was suddenly discovered in a popular Laravel tool. The vulnerability affects the Livewire file manager. The flaw allows an unauthorized attacker to upload a PHP file to the server and immediately activate it through a regular browser.
The vulnerability, identified as CVE-2025-14894 (CVSS score: 7.5), affects the LivewireFilemanagerComponent.php component. The problem is that the module is not of the latest type and the MIME of the uploaded files is not correct. Formally, the Livewire Filemanager developers initially expanded filtering for most users, but it is the combination of validation conditions and Laravel's description that makes the attack extremely simple.
Many Laravel projects use the "php artisan Storage:link" command, which creates a public link to the Storage/App/Public directory to serve uploaded files through the website. Under normal circumstances, this is convenient and safe, provided the uploader properly restricts forms. However, Livewire Filemanager allows you to upload any PHP file to the server. It then becomes accessible via a URL in the /storage section and can be executed as a script.
An attacker simply uploads a prepared file and accesses it through a browser, passing the user ID in the request. As a result, the code displays as the web user without any authentication. This allows full access to files, the ability to plant backdoors, and traverse the infrastructure.
According to CERT/CC, the implications are significant. The vulnerability enables remote code execution and complete control within a malicious web server. With this access, attackers can gain a foothold in the system, obtain sensitive data, or use the server as a point of attack for attacking neighboring nodes.
At this time, the Livewire Filemanager developers have not officially confirmed the vulnerability, and no patches have been submitted. Experts recommend that Laravel project administrators urgently check whether Livewire Filemanager is used in conjunction with public storage. If you've already created a symlink, it's best to temporarily disable web access to the directory containing the files uploaded by the command or disable FileManager entirely so that the fixes are visible.
