CVE-2025-22145

Name of the Vulnerable Software and Affected Versions Carbon versions prior to 3.8.4 Carbon versions prior to 2.72.6

Description The issue arises when applications pass unsanitized user input to Carbon::setLocale, putting them at risk of arbitrary file inclusion. If the application allows users to upload files with a .php extension in a folder that permits include or require to read it, they are at risk of arbitrary code execution on their servers.

Recommendations For versions prior to 3.8.4, update to version 3.8.4 or later. For versions prior to 2.72.6, update to version 2.72.6 or later. As a temporary workaround, consider validating input before calling setLocale(), such as forbidding or removing / and ``. Alternatively, call setLocale() only with a locale from a whitelist of supported locales. When uploading files, rename them so they cannot have a .php extension. Prefer storage systems that are not local to the application, such as remote services or local services run by another user.