Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS05NmMyLWg2NjctOWZ4cM4ABKWD

Critical CVSS: 9.3 EPSS: 0.00335% (0.55668 Percentile) EPSS:
Permalink JSON

nova-tiptap has Unauthenticated Arbitrary File Upload Vulnerability

Affected Packages Affected Versions Fixed Versions
packagist:manogi/nova-tiptap <= 3.2.6 No known fixed version
9 Dependent packages
11 Dependent repositories
718,134 Downloads total

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.9.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6
packagist:marshmallow/nova-tiptap < 5.7.0 5.7.0
0 Dependent packages
0 Dependent repositories
25,260 Downloads total

Affected Version Ranges

All affected versions

5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.4.0, 5.5.0, 5.6.0

All unaffected versions

5.7.0

A vulnerability was discovered in the marshmallow-packages/nova-tiptap Laravel Nova package that allows unauthenticated users to upload arbitrary files to any Laravel disk configured in the application.

The vulnerability is due to:
• Missing authentication middleware (Nova and Nova.Auth) on the /nova-tiptap/api/file upload endpoint
• Lack of validation on uploaded files (no MIME/type or extension restrictions)
• Ability for an attacker to choose the disk parameter dynamically

This means an attacker can craft a custom form and send a POST request to /nova-tiptap/api/file, supplying a valid CSRF token, and upload executable or malicious files (e.g., .php, binaries) to public disks such as local, public, or s3. If a publicly accessible storage path is used (e.g. S3 with public access, or Laravel’s public disk), the attacker may gain the ability to execute or distribute arbitrary files — amounting to a potential Remote Code Execution (RCE) vector in some environments.

References:

Identifiers

GHSA-96c2-h667-9fxp

CVE-2025-54082

Risk

Severity

Critical

CVSS

CVSS Score: 9.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00335

EPSS Percentile: 0.55668

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/marshmallow-packages/nova-tiptap

Date and time

Published

9 days ago

Updated

8 days ago

API

JSON