CVE-2025-14894: Livewire Filemanager does not restrict uploaded file types
(updated )
Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.
References
- github.com/advisories/GHSA-9g95-48c6-r778
- github.com/livewire-filemanager/filemanager
- github.com/livewire-filemanager/filemanager/blob/master/docs.md
- hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager
- nvd.nist.gov/vuln/detail/CVE-2025-14894
- www.kb.cert.org/vuls/id/650657
Code Behaviors & Features
Detect and mitigate CVE-2025-14894 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →