Source: php-nesbot-carbon Version: 2.69.0-5 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for php-nesbot-carbon. CVE-2025-22145[0]: | Carbon is an international PHP extension for DateTime. Application | passing unsanitized user input to Carbon::setLocale are at risk of | arbitrary file include, if the application allows users to upload | files with .php extension in an folder that allows include or | require to read it, then they are at risk of arbitrary code ran on | their servers. This vulnerability is fixed in 3.8.4 and 2.72.6. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-22145 https://www.cve.org/CVERecord?id=CVE-2025-22145 [1] https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q [2] https://github.com/briannesbitt/Carbon/commit/1e9d50601e7035a4c61441a208cb5bed73e108c5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
