CVE-2025-54082 is a high-severity vulnerability affecting versions of the marshmallow-packages/nova-tiptap Laravel Nova package prior to 5.7.0. Nova-tiptap is a rich text editor integrated into Laravel Nova, a popular administration panel for Laravel applications. The vulnerability arises from the lack of authentication middleware on the /nova-tiptap/api/file upload endpoint, combined with insufficient validation of uploaded files and the ability for attackers to specify the storage disk dynamically. Specifically, unauthenticated attackers can craft POST requests with a valid CSRF token to upload arbitrary files, including executable scripts such as PHP files or binaries, to any Laravel disk configured in the application (e.g., local, public, or S3 storage). Since the endpoint does not restrict MIME types or file extensions, malicious files can be uploaded without validation. If the storage disk is publicly accessible, such as a public S3 bucket or Laravel’s public disk, attackers may execute or distribute these files, potentially leading to Remote Code Execution (RCE). This vulnerability is particularly dangerous because it requires no authentication or user interaction, and the attacker can dynamically select the storage disk, increasing the attack surface. The vulnerability was fixed in version 5.7.0 of nova-tiptap. The CVSS 4.0 base score is 8.1 (high), reflecting the network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the ease of exploitation and potential impact make this a critical issue for affected deployments.

For European organizations using Laravel Nova with the nova-tiptap package versions prior to 5.7.0, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized file uploads of malicious payloads, enabling attackers to execute arbitrary code on the server or distribute malware via publicly accessible storage. This can result in full system compromise, data breaches, service disruption, and reputational damage. Given the popularity of Laravel Nova in web application administration, especially among SMEs and enterprises in Europe, the risk extends to a broad range of sectors including finance, healthcare, e-commerce, and public services. The ability to upload files without authentication and validation means attackers can bypass typical security controls, potentially leading to lateral movement within networks or persistent footholds. Additionally, if the uploaded files are hosted on public cloud storage (e.g., AWS S3), the attack surface increases, potentially exposing sensitive data or enabling phishing campaigns. The vulnerability's impact on confidentiality, integrity, and availability is high, and exploitation could violate GDPR requirements on data protection and breach notification, leading to legal and financial consequences for European entities.

1. Immediate upgrade: Organizations should upgrade the nova-tiptap package to version 5.7.0 or later, where the vulnerability is patched. 2. Access control: Until patching is possible, restrict access to the /nova-tiptap/api/file endpoint using web application firewalls (WAFs), IP whitelisting, or network segmentation to limit exposure. 3. Storage configuration: Review and restrict permissions on Laravel disks, especially public and S3 buckets, to prevent public write or execute access. Disable public access on S3 buckets unless absolutely necessary and enforce least privilege policies. 4. Input validation: Implement additional server-side validation for uploaded files, including MIME type checks, file extension whitelisting, and content scanning for malicious payloads. 5. Monitoring and detection: Deploy monitoring to detect unusual file uploads, especially executable files, and anomalous POST requests to the vulnerable endpoint. 6. CSRF token management: Ensure CSRF tokens are rotated and validated properly to reduce the risk of token reuse by attackers. 7. Incident response readiness: Prepare to investigate and remediate potential exploitation attempts, including scanning for web shells or unauthorized files in storage. 8. Developer awareness: Educate development teams on secure file upload practices and the importance of authentication middleware on sensitive endpoints.