Laravel File Manager flaw enables authenticated file-upload RCE

TL;DR — An authenticated attacker can upload a malicious PHP file through laravel-filemanager and reach server-side code execution by directly accessing the uploaded file path.

What happened

UniSharp/laravel-filemanager is a Laravel package that provides a web UI and endpoints for browsing and uploading files (commonly used as a “file picker” integration for apps and editors).

CVE-2019-25673 describes an arbitrary file upload vulnerability where an authenticated attacker can send multipart form data to the upload endpoint, set a type parameter to Files, upload a PHP file, and then execute it by requesting the uploaded file through the working directory path.

The CVE record rates this issue High severity (CVSS v4.0 base score 8.7; CVSS v3.1 base score 8.8) and references a public ExploitDB proof-of-concept, which materially lowers the barrier to exploitation in real deployments.

File upload weaknesses are one of the most reliable “web app to RCE” paths when storage locations are web-accessible and interpreter-executable — and they routinely show up in auxiliary components (uploaders, media managers, editor plugins) that teams don’t treat as part of the primary attack surface.

Who is impacted

• Applications using Laravel File Manager in the affected version range described by the CVE.
• The CVE text specifically calls out v2.0.0-alpha7 and v2.0 as vulnerable; the CVE “affected versions” section lists 2.0.0 as affected (treat this as an ambiguity in the record and validate your deployed version/commit history).
• Environments where uploaded files end up under a web-accessible path (so the attacker can request the uploaded .php file after upload).

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the CVE record does not state a fixed version).
• Inventory where UniSharp/laravel-filemanager is deployed (composer.lock, SBOMs, container images, deployed artifacts) and confirm whether any instances are on the affected versions.
• Reduce blast radius while you validate patch availability and rollout:
  • Restrict access to the file manager routes/endpoints to only trusted roles.
  • Ensure uploaded content is stored outside the web root or served in a way that prevents PHP execution.
  • Review web logs for suspicious upload activity and subsequent direct requests to newly uploaded files under the working directory path.
• If compromise is suspected, treat it as an RCE-class incident:
  • Hunt for unexpected files in upload/working directories and rotate credentials reachable by the app runtime (DB credentials, API keys, signing keys).