VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Dec 18, 2024· Updated Apr 15, 2026

CVE-2024-21546

CVE-2024-21546

Description

Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This allows the attacker to execute malicious code.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
unisharp/laravel-filemanagerPackagist
< 2.9.12.9.1

Patches

2
93c99703fa77
https://github.com/UniSharp/laravel-filemanagervia osv
8170760c0ae3

fix(security): file extension should not contain special characters

https://github.com/UniSharp/laravel-filemanagerStreamAug 9, 2024via ghsa
commit
3 files changed · +36 0
  • src/Exceptions/InvalidExtensionException.php+11 0 added
    @@ -0,0 +1,11 @@
+<?php
+
+namespace UniSharp\LaravelFilemanager\Exceptions;
+
+class InvalidExtensionException extends \Exception
+{
+    public function __construct()
+    {
+        $this->message = 'File extension is not valid.';
+    }
+}
  • src/LfmUploadValidator.php+12 0 modified
    @@ -9,6 +9,7 @@
 use UniSharp\LaravelFilemanager\Exceptions\FileFailedToUploadException;
 use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedConfigurationMaximumException;
 use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedIniMaximumException;
+use UniSharp\LaravelFilemanager\Exceptions\InvalidExtensionException;
 use UniSharp\LaravelFilemanager\Exceptions\InvalidMimeTypeException;
 use UniSharp\LaravelFilemanager\LfmPath;
 
@@ -94,6 +95,17 @@ public function mimeTypeIsValid($available_mime_types)
         return $this;
     }
 
+    public function extensionIsValid()
+    {
+        $extension = strtolower($this->file->getClientOriginalExtension());
+
+        if (preg_match('/[^a-zA-Z0-9]/', $extension) > 0) {
+            throw new InvalidExtensionException();
+        }
+
+        return $this;
+    }
+
     public function sizeIsLowerThanConfiguredMaximum($max_size_in_kb)
     {
         // size to kb unit is needed
  • tests/LfmUploadValidatorTest.php+13 0 modified
    @@ -9,6 +9,7 @@
 use UniSharp\LaravelFilemanager\Exceptions\FileFailedToUploadException;
 use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedConfigurationMaximumException;
 use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedIniMaximumException;
+use UniSharp\LaravelFilemanager\Exceptions\InvalidExtensionException;
 use UniSharp\LaravelFilemanager\Exceptions\InvalidMimeTypeException;
 use UniSharp\LaravelFilemanager\LfmPath;
 use UniSharp\LaravelFilemanager\LfmUploadValidator;
@@ -167,6 +168,18 @@ public function testFailsExtensionIsNotExcutableWithExtensionNotLowerCase()
         $validator->extensionIsNotExcutable(['php', 'html']);
     }
 
+    public function testFailsExtensionIsValidWithSpecialCharacters()
+    {
+        $uploaded_file = m::mock(UploadedFile::class);
+        $uploaded_file->shouldReceive('getClientOriginalExtension')->andReturn('html@');
+
+        $validator = new LfmUploadValidator($uploaded_file);
+
+        $this->expectException(InvalidExtensionException::class);
+
+        $validator->extensionIsValid();
+    }
+
     public function testPassesSizeIsLowerThanConfiguredMaximum()
     {
         $uploaded_file = m::mock(UploadedFile::class);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.