Home > Vulnerability Database > CVE-2025-22145

Mend.io Vulnerability Database

CVE-2025-22145

Date: January 8, 2025

Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.

Severity Score

7.3

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-22145

Url: https://security-tracker.debian.org/tracker/CVE-2025-22145

Url: https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58

Url: https://lists.debian.org/debian-lts-announce/2025/02/msg00032.html

Url: https://github.com/CarbonPHP/carbon

Url: https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q

Url: https://www.mend.io/vulnerability-database/CVE-2025-22145

Severity Score

7.3

Weakness Type (CWE)

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE-98

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-22145

Date: January 8, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?