The vulnerability in Spatie Laravel Media Library before version 11.23.0 arises from an incomplete list of disallowed file extensions in the FileAdder::defaultSanitizer() method. The sanitizer validates only the final file extension, which allows filenames with double extensions (e.g., shell.php.jpg) to bypass the blocklist. The inner executable extension (.php) remains preserved in the saved filename due to pathinfo() behavior. Furthermore, the blocklist does not include certain executable extensions like .php6, .shtml, and .htaccess, increasing the risk of malicious file uploads. Exploiting the double-extension bypass to achieve PHP execution requires a legacy Apache AddHandler configuration. The vulnerability is tracked as CWE-184 (Incomplete Neutralization of Special Elements).

Successful exploitation could allow an attacker with at least low privileges to upload files that bypass the intended file upload restrictions. This may lead to the storage of files with executable extensions or double extensions that could be executed on the server under specific legacy Apache configurations, potentially enabling remote code execution. The vulnerability has a CVSS 4.0 score of 8.7, indicating high severity. However, no known exploits have been reported in the wild to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently documented, users should monitor for updates from Spatie regarding version 11.23.0 or later. Until a patch is available, consider implementing additional server-side validation to reject files with suspicious double extensions and explicitly block all known executable extensions, including .php6, .shtml, and .htaccess. Review and harden Apache configurations to avoid legacy AddHandler directives that could enable execution of such files.