Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54082

CVE-2025-54082: Nova Tiptap Editor RCE Vulnerability

CVE-2025-54082 is a remote code execution flaw in marshmallow-packages/nova-tiptap that allows unauthenticated file uploads, potentially enabling attackers to execute malicious code on vulnerable systems.

Updated:

CVE-2025-54082 Overview

CVE-2025-54082 is an unauthenticated arbitrary file upload vulnerability in the marshmallow-packages/nova-tiptap Laravel Nova package, a rich text editor built on tiptap. Versions prior to 5.7.0 expose the /nova-tiptap/api/file endpoint without authentication middleware and without file type validation. Attackers can upload executable files such as .php scripts or binaries to any configured Laravel disk, including public or s3. When the target disk is publicly accessible, this can escalate to Remote Code Execution (RCE) or arbitrary file distribution. The issue is tracked as [CWE-434: Unrestricted Upload of File with Dangerous Type].

Critical Impact

Unauthenticated attackers can upload arbitrary files, including PHP scripts, to publicly accessible Laravel storage disks, enabling potential Remote Code Execution.

Affected Products

  • marshmallow-packages/nova-tiptap versions prior to 5.7.0
  • Laravel Nova applications integrating the nova-tiptap rich text editor
  • Deployments using publicly accessible Laravel disks (local, public, or s3 with public ACLs)

Discovery Timeline

  • 2025-07-21 - CVE-2025-54082 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-54082

Vulnerability Analysis

The vulnerability resides in the file upload route registered by the nova-tiptap package. The /nova-tiptap/api/file endpoint is mounted without the standard Nova and Nova.Auth middleware that normally enforce authenticated access to Laravel Nova admin functionality. As a result, any user who can reach the application and obtain a CSRF token can submit a POST request to the endpoint.

The handler additionally accepts a disk parameter supplied by the client, allowing the attacker to select the target storage backend dynamically. Combined with the absence of MIME type and extension validation, this lets an attacker write arbitrary content under attacker-chosen filenames to disks the application has configured.

When the chosen disk is web-accessible — for example Laravel's public disk symlinked under /storage, or an S3 bucket with public read — uploaded .php files served through a PHP-FPM enabled directory translate directly into code execution. In other configurations the flaw still enables hosting malware, phishing payloads, or defacement content under the trusted domain.

Root Cause

The root cause is missing authorization on a sensitive route combined with absent server-side validation. The route definition omits Nova and Nova.Auth middleware, and the controller accepts user-controlled disk selection and file content without restricting allowed MIME types or extensions. This combination violates [CWE-434] by permitting unrestricted upload of files with dangerous types.

Attack Vector

Exploitation requires only network access to a vulnerable Laravel Nova installation. The attacker fetches the application's CSRF token from any rendered page, then crafts a multipart POST request to /nova-tiptap/api/file containing a malicious file payload and a disk parameter pointing at a public-readable storage location. The server writes the file to the chosen disk and returns its accessible URL. The attacker then requests that URL to trigger execution or distribute the payload. No authentication, user interaction, or elevated privileges are required.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-96c2-h667-9fxp and the GitHub Commit Changes for the authoritative fix.

Detection Methods for CVE-2025-54082

Indicators of Compromise

  • HTTP POST requests to /nova-tiptap/api/file originating from unauthenticated sessions or unexpected source IPs.
  • New files with executable extensions (.php, .phtml, .phar, .jsp, ELF binaries) appearing in directories backed by the Laravel public disk or in S3 buckets with public ACLs.
  • Web server access logs showing GET requests to newly created files under /storage/ shortly after a POST to the tiptap upload endpoint.

Detection Strategies

  • Review the application's route list with php artisan route:list and confirm whether the nova-tiptap upload route is bound behind Nova and Nova.Auth middleware.
  • Audit Laravel storage directories and S3 buckets for files whose extensions do not match expected rich text editor uploads (images, documents).
  • Correlate web server, application, and object storage logs for POST requests to /nova-tiptap/api/file followed by file reads from public storage paths.

Monitoring Recommendations

  • Alert on any POST to /nova-tiptap/api/file lacking an authenticated Nova session cookie.
  • Monitor object storage write APIs (s3:PutObject) for uploads of executable MIME types from application service principals.
  • Track creation of new files under storage/app/public/ and trigger review if extensions fall outside an approved allowlist.

How to Mitigate CVE-2025-54082

Immediate Actions Required

  • Upgrade marshmallow-packages/nova-tiptap to version 5.7.0 or later using composer update marshmallow-packages/nova-tiptap.
  • Audit Laravel public and S3 disks for unexpected files uploaded since the package was first deployed and remove any unauthorized artifacts.
  • Rotate any credentials or secrets that may have been exposed through arbitrary files written to public storage.

Patch Information

The maintainers fixed CVE-2025-54082 in version 5.7.0. The patch applies the Nova and Nova.Auth middleware to the upload route, restricts the selectable disk parameter, and enforces file type validation. Review the GitHub Commit Changes and the GitHub Security Advisory GHSA-96c2-h667-9fxp for full remediation detail.

Workarounds

  • If an immediate upgrade is not possible, block external access to /nova-tiptap/api/file at the web server, load balancer, or WAF layer until the package is patched.
  • Reconfigure Laravel disks so that the public and any S3 disks used by the application do not serve files with executable extensions, for example by disabling PHP execution under /storage/.
  • Restrict S3 bucket policies to deny public read access and require authenticated retrieval for any disk reachable by the upload handler.
bash
# Upgrade the vulnerable package to the patched release
composer require marshmallow-packages/nova-tiptap:^5.7.0
php artisan route:list | grep nova-tiptap

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.