GHSA-j3f9-p6hm-5w6q

Suggest an improvement
Source
https://github.com/advisories/GHSA-j3f9-p6hm-5w6q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-j3f9-p6hm-5w6q/GHSA-j3f9-p6hm-5w6q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j3f9-p6hm-5w6q
Aliases
Published
2025-01-08T21:03:28Z
Modified
2025-01-08T22:03:56.544707Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale
Details

Impact

Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers.

Patches

Workarounds

Any of the below actions can be taken to prevent the issue: - Validate input before calling setLocale(), for instance by forbidding or removing / and \ - Call setLocale() only with a locale from a whitelist of supported locales - When uploading files, rename them so they cannot have a .php extension (this is recommended even if you're not affected by this issue) - Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually live outside of the application basedir)

References

https://en.wikipedia.org/wiki/Fileinclusionvulnerability

Credits

Thanks to Szczepan Hołyszewski who reported the issue and to Tidelift to coordinate the resolution

Database specific 
{
    "nvd_published_at": "2025-01-08T21:15:13Z",
    "cwe_ids": [
        "CWE-98"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-08T21:03:28Z"
}
References

Affected packages

Packagist / nesbot/carbon

Package

Name
nesbot/carbon
Purl
pkg:composer/nesbot/carbon

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.8.4

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.3.0
3.3.1
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0
3.8.1
3.8.2
3.8.3

Packagist / nesbot/carbon

Package

Name
nesbot/carbon
Purl
pkg:composer/nesbot/carbon

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.72.6

Affected versions

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.9.0
1.10.0
1.11.0
1.12.0
1.13.0
1.14.0
1.15.0
1.16.0
1.17.0
1.18.0
1.19.0
1.20.0
1.21.0
1.22.0
1.22.1
1.23.0
1.24.0
1.24.1
1.24.2
1.25.0
1.25.1
1.25.3
1.26.0
1.26.1
1.26.2
1.26.3
1.26.4
1.26.5
1.26.6
1.27.0
1.28.0
1.29.0
1.29.1
1.29.2
1.30.0
1.31.0
1.31.1
1.32.0
1.33.0
1.34.0
1.34.1
1.34.2
1.34.3
1.34.4
1.35.0
1.35.1
1.36.0
1.36.1
1.36.2
1.37.0
1.37.1
1.38.0
1.38.1
1.38.2
1.38.3
1.38.4
1.39.0
1.39.1

2.*

2.0.0-beta.1
2.0.0-beta.2
2.0.0-beta.3
2.0.0-beta.4
2.0.0-beta.5
2.0.0-beta.6
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0
2.3.1
2.4.0
2.4.1
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.6.0
2.6.1
2.7.0
2.8.0
2.9.0
2.9.1
2.10.0
2.10.1
2.11.0
2.12.0
2.13.0
2.14.0
2.14.1
2.14.2
2.15.0
2.16.0
2.16.1
2.16.2
2.16.3
2.17.0
2.17.1
2.18.0
2.19.0
2.19.1
2.19.2
2.20.0
2.21.0
2.21.1
2.21.2
2.21.3
2.22.0-beta.1
2.22.0-beta.2
2.22.0-beta.3
2.22.0
2.22.1
2.22.2
2.22.3
2.23.0-beta.1
2.23.0-beta.2
2.23.0-beta.3
2.23.0-beta.4
2.23.0
2.23.1
2.24.0-beta.1
2.24.0-beta.2
2.24.0-beta.3
2.24.0-beta.4
2.24.0
2.25.0-beta.1
2.25.0-beta.2
2.25.0-beta.3
2.25.0
2.25.1
2.25.2
2.25.3
2.26.0
2.27.0
2.28.0-beta.1
2.28.0
2.29.0
2.29.1
2.30.0
2.31.0
2.32.0
2.32.1
2.32.2
2.33.0
2.34.0
2.34.1
2.34.2
2.35.0
2.36.0
2.36.1
2.37.0
2.38.0
2.39.0
2.39.1
2.39.2
2.40.0
2.40.1
2.41.0
2.41.1
2.41.2
2.41.3
2.41.4
2.41.5
2.42.0
2.43.0
2.44.0
2.45.0
2.45.1
2.46.0
2.47.0
2.47.1
2.48.0
2.48.1
2.49.0
2.50.0
2.51.0
2.51.1
2.52.0
2.53.0
2.53.1
2.54.0
2.55.0
2.55.1
2.55.2
2.56.0
2.57.0
2.58.0
2.59.0
2.59.1
2.60.0
2.61.0
2.62.0
2.62.1
2.63.0
2.64.0
2.64.1
2.65.0
2.66.0
2.67.0
2.68.0
2.68.1
2.69.0
2.70.0
2.71.0
2.72.0
2.72.1
2.72.2
2.72.3
2.72.4
2.72.5