CVE-2025-22145 in carbon
Summary
by MITRE • 01/08/2025
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/25/2025
Carbon is a popular international PHP extension that enhances DateTime functionality with locale-aware formatting and parsing capabilities. The vulnerability CVE-2025-22145 specifically targets the Carbon::setLocale method which handles locale configuration for date and time operations. This flaw arises when applications fail to properly sanitize user input before passing it to the setLocale function, creating a path for malicious actors to exploit. The vulnerability stems from insufficient validation of locale identifiers, allowing attackers to inject malicious file paths that can be processed through PHP's include or require statements.
The technical implementation of this vulnerability occurs when user-supplied data containing directory traversal sequences or malicious file references is passed directly to Carbon::setLocale without proper sanitization. When the application has user upload capabilities that permit .php file uploads to directories accessible by PHP's include mechanism, attackers can upload malicious PHP files with specific names that correspond to locale identifiers. This creates a scenario where the Carbon library, in processing the unsanitized locale parameter, inadvertently includes and executes the malicious PHP code through the include/require functionality.
The operational impact of this vulnerability is severe as it allows remote code execution on affected servers. Attackers can leverage this flaw to execute arbitrary commands, potentially gaining full control over the affected system. The vulnerability affects applications that use Carbon versions prior to 3.8.4 and 2.72.6, making it particularly dangerous for widely deployed applications that have not yet been updated. This type of vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-94 (Improper Control of Generation of Code) in the CWE database, representing a path traversal issue combined with code execution capabilities. The attack pattern follows ATT&CK technique T1505.003 (Server-side Include) and T1059.007 (Command and Scripting Interpreter: PowerShell) when leveraging the code execution capabilities.
Organizations affected by this vulnerability should immediately upgrade to Carbon versions 3.8.4 or 2.72.6 to receive the necessary patches. Additionally, defensive measures should include implementing strict input validation for all locale parameters, removing user upload capabilities for PHP files, and restricting file upload directories from being accessible to PHP include mechanisms. Security teams should conduct thorough code reviews to identify all instances where user input is passed to Carbon::setLocale or similar functions without proper sanitization. Implementing proper access controls and file permission settings on upload directories can significantly reduce the attack surface, while monitoring for unusual file upload patterns can help detect potential exploitation attempts.