CVE-2025-65346 is a directory traversal vulnerability affecting alexusmai laravel-file-manager versions 3.3.1 and earlier. The vulnerability stems from the unzip or archive extraction functionality, which fails to properly validate the paths of files being extracted from uploaded archives. This allows an attacker to craft malicious archive files containing file paths that traverse directories (e.g., using ../ sequences) and write files outside the intended extraction directory. Because the vulnerability requires no authentication or user interaction, it can be exploited remotely by simply uploading a malicious archive. Successful exploitation can lead to arbitrary file write on the server filesystem, potentially allowing attackers to overwrite critical files, upload web shells, or modify application code, resulting in full compromise of confidentiality and integrity. The CVSS v3.1 base score is 9.1 (critical), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity. While no public exploits are currently known, the severity and ease of exploitation make this a significant threat. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). No official patches or fixes are listed yet, so mitigation may require manual validation or disabling archive extraction features temporarily.

For European organizations, this vulnerability poses a severe risk to web applications using the vulnerable laravel-file-manager component. Exploitation can lead to unauthorized file writes, enabling attackers to deploy web shells, modify application logic, or exfiltrate sensitive data. This threatens confidentiality and integrity of critical business data and systems. Organizations in sectors such as finance, healthcare, government, and e-commerce, which rely heavily on web applications and file management features, face increased risk of data breaches and operational disruption. The lack of required authentication and user interaction broadens the attack surface, allowing remote attackers to compromise systems without insider access. Additionally, compromised web servers can be leveraged for further lateral movement or as a foothold for ransomware attacks. The absence of known exploits currently provides a window for proactive mitigation, but the critical severity demands immediate attention.

1. Immediately audit usage of alexusmai laravel-file-manager in your web applications and identify versions 3.3.1 and below. 2. If possible, upgrade to a patched version once available from the vendor or community. 3. Until patches are released, disable archive upload and extraction functionality to prevent exploitation. 4. Implement strict server-side validation of archive extraction paths to prevent directory traversal sequences (e.g., ../). 5. Restrict file system permissions of the web server user to limit write access only to intended directories. 6. Employ web application firewalls (WAFs) with rules to detect and block suspicious archive uploads or path traversal attempts. 7. Monitor logs for unusual file upload activity or unexpected file modifications. 8. Conduct penetration testing focused on archive extraction features to verify mitigations. 9. Educate developers on secure file handling practices and the risks of directory traversal. 10. Maintain regular backups and incident response plans to recover from potential compromises.