CVE-2025-22145 - Carbon PHP Extension DateTime Arbitrary File Include Vulnerability

The Carbon PHP extension is an immensely popular library that has become the go-to choice for developers looking to work with dates and times. The library is designed to provide developers with an elegant and simple API to handle DateTime objects, while also building on the limitations of the native PHP DateTime class. However, a vulnerability has been discovered in the Carbon library that can expose applications to unauthorized arbitrary file inclusion.

Vulnerability Details

This article focuses on the CVE ID: CVE-2025-22145, an arbitrary file include vulnerability, affecting Carbon, an international PHP extension for DateTime. The vulnerability is introduced when unsanitized user input is passed to the Carbon::setLocale() method. This can allow an attacker to inject arbitrary file paths and execute PHP code that has been uploaded to a target server through malicious user input.

If a PHP application uses the Carbon library and allows users to upload files with .php extensions onto the server, especially in a folder where the include or require functions can read the files, the application could be at risk of unauthorized execution of arbitrary code on the server.

An attacker can exploit this vulnerability using the following steps

1. Upload a malicious PHP file to the target server. The file should contain arbitrary code that the attacker wants to execute on the server.

2. Send a request to the application, including unsanitized user input containing the path to the malicious PHP file. The path should be constructed in such a way that it is passed to the Carbon::setLocale() method when the application processes the user input.

3. If the application processes the user input as expected, the Carbon::setLocale() function will attempt to include the malicious file, leading to the execution of the attacker's arbitrary code on the server.

Code Snippet

Here's an example of how this vulnerability can be abused in a PHP application that uses the Carbon library:

<?php
// Import the necessary Carbon classes
use Carbon\Carbon;

// Example of unsanitized user input
$localeInput = $_GET['locale'];

// Passing the unsanitized user input to setLocale()
Carbon::setLocale($localeInput);

?>

Original References

The Carbon PHP extension authors have acknowledged the vulnerability and released patches to address the issue. The vulnerability is fixed in the following versions of Carbon: 3.8.4 and 2.72.6.

If you are using an older version of Carbon, it is strongly recommended that you update your application to use one of the patched versions as soon as possible.

- Carbon project GitHub repository: https://github.com/briannesbitt/Carbon
- Carbon project release notes: https://github.com/briannesbitt/Carbon/releases

Conclusion

In summary, the ability to leverage the CVE-2025-22145 vulnerability to execute arbitrary code on a server can pose a significant risk to PHP applications using Carbon for DateTime. It is crucial to validate and sanitize all user input, as well as restrict the execution of arbitrary PHP files on the server. Furthermore, updating the Carbon library to version 3.8.4 or 2.72.6 will protect your application from this specific vulnerability.

Timeline

Published on: 01/08/2025 21:15:13 UTC
Last modified on: 02/25/2025 13:15:10 UTC