laravel-notification icon indicating copy to clipboard operation
laravel-notification copied to clipboard

Published 20 hours ago verified publisher icon Nexmo

nexmo/laravel-1.1.2: 2 vulnerabilities (highest severity is: 7.3)

Open mend-for-github-com[bot] opened this issue 10 months ago • 0 comments

Vulnerable Library - nexmo/laravel-1.1.2

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (nexmo/laravel version) Remediation Possible** Reachability
CVE-2025-22145 High 7.3 Not Defined 0.0% nesbot/carbon-2.62.1 Transitive N/A*
CVE-2025-45770 High 7.0 Not Defined 0.0% lcobucci/jwt-3.4.6 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-22145

Vulnerable Library - nesbot/carbon-2.62.1

An API extension for DateTime that supports 281 different languages.

Library home page: https://api.github.com/repos/CarbonPHP/carbon/zipball/01bc4cdefe98ef58d1f9cb31bdbbddddf2a88f7a

Dependency Hierarchy:

  • nexmo/laravel-1.1.2 (Root Library)
    • illuminate/support-v5.8.36
      • :x: nesbot/carbon-2.62.1 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.

Publish Date: 2025-01-08

URL: CVE-2025-22145

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q

Release Date: 2025-01-08

Fix Resolution: 2.72.6,3.8.4

CVE-2025-45770

Vulnerable Library - lcobucci/jwt-3.4.6

A simple library to work with JSON Web Token and JSON Web Signature

Library home page: https://api.github.com/repos/lcobucci/jwt/zipball/3ef8657a78278dfeae7707d51747251db4176240

Dependency Hierarchy:

  • nexmo/laravel-1.1.2 (Root Library)
    • nexmo/client-1.9.1
      • nexmo/client-core-1.8.1
        • :x: lcobucci/jwt-3.4.6 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jwt v5.4.3 was discovered to contain weak encryption.

Publish Date: 2025-07-31

URL: CVE-2025-45770

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

mend-for-github-com[bot] avatar Jan 11 '25 00:01 mend-for-github-com[bot]