CVE-2025-22145 Overview
CVE-2025-22145 is a Local File Inclusion (LFI) vulnerability affecting Carbon, a popular international PHP extension for DateTime handling. Applications that pass unsanitized user input to Carbon::setLocale() are at risk of arbitrary file inclusion. When exploited in conjunction with the ability to upload PHP files to an accessible directory, this vulnerability can lead to arbitrary code execution on affected servers.
Critical Impact
Applications allowing user-controlled locale settings combined with PHP file uploads may be vulnerable to arbitrary code execution through local file inclusion.
Affected Products
- Carbon PHP DateTime Extension versions prior to 3.8.4
- Carbon PHP DateTime Extension versions prior to 2.72.6
- Debian systems using vulnerable Carbon packages
Discovery Timeline
- 2025-01-08 - CVE CVE-2025-22145 published to NVD
- 2025-02-25 - Last updated in NVD database
Technical Details for CVE-2025-22145
Vulnerability Analysis
The vulnerability exists in the locale handling mechanism of the Carbon PHP library. When applications pass user-controlled input directly to the Carbon::setLocale() method without proper sanitization, an attacker can manipulate the locale parameter to include arbitrary PHP files from the server's filesystem.
The exploitation chain requires two conditions: first, the application must use user input for locale configuration without validation, and second, the attacker must be able to upload or have access to a PHP file in a directory that can be included by the application. When both conditions are met, the attacker can achieve remote code execution by including their malicious PHP file through the locale mechanism.
The CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) classification accurately describes this vulnerability pattern, where the include path is constructed using untrusted input.
Root Cause
The root cause lies in the AbstractTranslator.php file where locale validation was performed too late in the execution flow. The vulnerable code would construct a file path using the user-supplied locale value before validating whether it was a legitimate locale identifier. This allowed attackers to inject path traversal sequences or arbitrary file paths that would be passed to PHP's include statement.
Attack Vector
The attack requires network access and involves sending crafted locale values to the application's locale-setting functionality. An attacker would:
- Identify an application endpoint that accepts locale parameters
- Upload a malicious PHP file to an accessible directory (if upload functionality exists)
- Craft a malicious locale value containing path traversal sequences pointing to the uploaded file
- Submit the crafted request, causing the malicious PHP file to be included and executed
return true;
}
+ $this->assertValidLocale($locale);
+
foreach ($this->getDirectories() as $directory) {
$data = @include \sprintf('%s/%s.php', rtrim($directory, '\\/'), $locale);
Source: GitHub Commit
The patch adds locale validation ($this->assertValidLocale($locale)) before the include statement is executed, ensuring that only legitimate locale identifiers are processed.
Detection Methods for CVE-2025-22145
Indicators of Compromise
- Unusual or malformed locale parameter values in application logs containing path traversal sequences (../, ..\\)
- HTTP requests with locale parameters containing file extensions (.php, .inc)
- Presence of unexpected PHP files in upload directories or temporary folders
- Web server error logs showing failed include attempts with unusual paths
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect path traversal patterns in locale-related parameters
- Monitor application logs for locale values that deviate from standard locale format patterns (e.g., en_US, fr_FR)
- Deploy file integrity monitoring on directories accessible to PHP include operations
- Review PHP error logs for include/require failures that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging for locale-setting operations in Carbon-based applications
- Set up alerts for new PHP file uploads to application-accessible directories
- Monitor for process spawning from web server processes that may indicate successful code execution
- Implement anomaly detection for unusual patterns in locale parameter usage
How to Mitigate CVE-2025-22145
Immediate Actions Required
- Update Carbon to version 3.8.4 or later for 3.x branch installations
- Update Carbon to version 2.72.6 or later for 2.x branch installations
- Audit application code to identify any instances of unsanitized user input being passed to Carbon::setLocale()
- Restrict PHP file uploads and ensure uploaded files cannot be included by the application
Patch Information
The vulnerability is fixed in Carbon versions 3.8.4 and 2.72.6. The fix introduces early locale validation in the AbstractTranslator.php file before the locale value is used to construct include paths. Review the GitHub Security Advisory for complete details on the patch. Debian users should refer to the Debian LTS Announcement for package updates.
Workarounds
- Implement application-level input validation for locale parameters using an allowlist of acceptable locale codes
- Disable or restrict file upload functionality in applications using vulnerable Carbon versions
- Configure PHP open_basedir to limit the directories from which files can be included
- Use disable_functions in php.ini to restrict dangerous functions if code execution is achieved
# Configuration example - Restrict PHP include paths
# Add to php.ini or .htaccess
open_basedir = /var/www/html:/tmp
# Whitelist acceptable locales in application configuration
# Example: ALLOWED_LOCALES="en_US,en_GB,fr_FR,de_DE,es_ES"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
