{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/650657#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nA vulnerability, tracked as CVE-2025-14894, has been discovered within Livewire Filemanager, a tool designed for usage within Laravel applications. The Livewire Filemanager tool allows for users to upload various files, including PHP files, and host them within the Laravel application. When a user uploads a PHP file to the application, it can be accessed and executed by visiting the web-accessible file hosting directory. This enables an attacker to create a malicious PHP file, upload it to the application, then force the application to execute it, enabling unauthenticated arbitrary code execution on the host device. \r\n\r\n### Description\r\n\r\nLivewire Filemanager is a tool designed to be embedded into Laravel applications, allowing for files to be uploaded, stored and managed. Laravel is a PHP framework, intended for web application development. A vulnerability has been discovered within the Livewire Filemanager that enables remote code execution (RCE) by uploading a malicious PHP file. This vulnerability is tracked as CVE-2025-14894, and its description is below:\r\n\r\n> Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.\r\n\r\nAs a note, Livewire Filemanager defines validation of file types to be [out of scope](https://github.com/livewire-filemanager/filemanager/blob/master/docs.md#security), and recommends users perform their own file type validation. However, the ability to remotely execute files uploaded through the web application is what actually enables executing the malware.\r\n\r\nDuring default usage of Livewire Filemanager, files can be accessed via the publicly accessible \"storage/app/public\" URL. This occurs if the `php artisan storage:link` command has previously been executed, enabling web serving. If a malicious PHP file is uploaded to the file manager, it can then be accessed and executed from that URL when passed a user ID alongside the request, enabling remote code execution on the target device.\r\n\r\n### Impact\r\nThe vulnerability enables unauthenticated remote code execution as the web server user, enabling full read and write of files accessible to that user, as well as the capability to further pivot and compromise connecting devices, making CVE-2025-14894 a high impact vulnerability. \r\n\r\n### Solution\r\nAt the time of writing, the vendor has not acknowledged the vulnerability. CERT/CC recommends using increased caution with Laravel Filemanager, and to check if the `php artisan storage:link` command has previously been executed, and if so, consider removing the web serving capability of the tool.\r\n\r\n### Acknowledgements\r\nThanks to the reporter HackingByDoing. This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/650657"},{"url":"https://github.com/livewire-filemanager/filemanager","summary":"https://github.com/livewire-filemanager/filemanager"},{"url":"https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager","summary":"https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager"}],"title":"Livewire Filemanager contains an insecure .php component that allows for unauthenticated RCE in Laravel Products","tracking":{"current_release_date":"2026-01-16T12:43:49+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#650657","initial_release_date":"2026-01-16 12:43:49.921167+00:00","revision_history":[{"date":"2026-01-16T12:43:49+00:00","number":"1.20260116124349.1","summary":"Released on 2026-01-16T12:43:49+00:00"}],"status":"final","version":"1.20260116124349.1"}},"vulnerabilities":[{"title":"Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.","notes":[{"category":"summary","text":"Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed."}],"cve":"CVE-2025-14894","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#650657"}]}],"product_tree":{"branches":[]}}