Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qM2Y5LXA2aG0tNXc2cc4ABDGi

Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale

Impact

Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers.

Patches

3.8.4
2.72.6

Workarounds

Any of the below actions can be taken to prevent the issue:

Validate input before calling setLocale(), for instance by forbidding or removing / and \
Call setLocale() only with a locale from a whitelist of supported locales
When uploading files, rename them so they cannot have a .php extension (this is recommended even if you're not affected by this issue)
Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually live outside of the application basedir)

References

https://en.wikipedia.org/wiki/File_inclusion_vulnerability

Credits

Thanks to Szczepan Hołyszewski who reported the issue and to Tidelift to coordinate the resolution

Permalink: https://github.com/advisories/GHSA-j3f9-p6hm-5w6q
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qM2Y5LXA2aG0tNXc2cc4ABDGi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 days ago
Updated: 9 days ago

EPSS Percentage: 0.00043
EPSS Percentile: 0.11086

Identifiers: GHSA-j3f9-p6hm-5w6q, CVE-2025-22145
References:

Repository: https://github.com/CarbonPHP/carbon
Blast Radius: 0.0

Affected Packages

packagist:nesbot/carbon

Dependent packages: 4,649
Dependent repositories: 471,721
Downloads: 508,041,772 total
Affected Version Ranges: < 2.72.6, >= 3.0.0, < 3.8.4
Fixed in: 2.72.6, 3.8.4
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.22.1, 1.23.0, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.25.1, 1.25.3, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.26.5, 1.26.6, 1.27.0, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.33.0, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.34.4, 1.35.0, 1.35.1, 1.36.0, 1.36.1, 1.36.2, 1.37.0, 1.37.1, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.39.0, 1.39.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.17.0, 2.17.1, 2.18.0, 2.19.0, 2.19.1, 2.19.2, 2.20.0, 2.21.0, 2.21.1, 2.21.2, 2.21.3, 2.22.0, 2.22.1, 2.22.2, 2.22.3, 2.23.0, 2.23.1, 2.24.0, 2.25.0, 2.25.1, 2.25.2, 2.25.3, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.29.1, 2.30.0, 2.31.0, 2.32.0, 2.32.1, 2.32.2, 2.33.0, 2.34.0, 2.34.1, 2.34.2, 2.35.0, 2.36.0, 2.36.1, 2.37.0, 2.38.0, 2.39.0, 2.39.1, 2.39.2, 2.40.0, 2.40.1, 2.41.0, 2.41.1, 2.41.2, 2.41.3, 2.41.4, 2.41.5, 2.42.0, 2.43.0, 2.44.0, 2.45.0, 2.45.1, 2.46.0, 2.47.0, 2.47.1, 2.48.0, 2.48.1, 2.49.0, 2.50.0, 2.51.0, 2.51.1, 2.52.0, 2.53.0, 2.53.1, 2.54.0, 2.55.0, 2.55.1, 2.55.2, 2.56.0, 2.57.0, 2.58.0, 2.59.0, 2.59.1, 2.60.0, 2.61.0, 2.62.0, 2.62.1, 2.63.0, 2.64.0, 2.64.1, 2.65.0, 2.66.0, 2.67.0, 2.68.0, 2.68.1, 2.69.0, 2.70.0, 2.71.0, 2.72.0, 2.72.1, 2.72.2, 2.72.3, 2.72.4, 2.72.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.8.1, 3.8.2, 3.8.3
All unaffected versions: 2.72.6, 3.8.4