CVE-2025-22145

N/A Unknown

Published: January 08, 2025 Modified: April 15, 2026

Description

Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q

Source: security-advisories@github.com

https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58

Source: security-advisories@github.com

https://lists.debian.org/debian-lts-announce/2025/02/msg00032.html

Source: af854a3a-2127-422b-91ae-364da2661108

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

0.1%

30th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-98

Related CVEs

CVE-2026-35548 N/A

CVE-2026-6862 5.5

CVE-2026-6861 6.1

CVE-2026-6859 8.8

CVE-2026-6356 9.6