CVE-2025-54082 Overview
CVE-2025-54082 is an unauthenticated arbitrary file upload vulnerability in the marshmallow-packages/nova-tiptap Laravel Nova package, a rich text editor based on tiptap. Versions prior to 5.7.0 expose the /nova-tiptap/api/file upload endpoint without Nova authentication middleware. The endpoint also lacks MIME or extension validation and allows attackers to choose the target Laravel disk dynamically. An attacker with a valid CSRF token can upload executable content such as .php files to public disks, potentially leading to Remote Code Execution (RCE) when the storage path is web-accessible. The flaw is categorized as [CWE-434: Unrestricted Upload of File with Dangerous Type].
Critical Impact
Unauthenticated attackers can upload arbitrary files — including PHP scripts — to public Laravel disks, enabling potential remote code execution or malware distribution from trusted application domains.
Affected Products
- marshmallow-packages/nova-tiptap versions prior to 5.7.0
- Laravel Nova applications integrating the nova-tiptap rich text editor
- Deployments exposing the public, local, or S3 disks with public access
Discovery Timeline
- 2025-07-21 - CVE-2025-54082 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-54082
Vulnerability Analysis
The vulnerability stems from three compounding weaknesses in the nova-tiptap package. First, the /nova-tiptap/api/file route is registered only under the nova middleware group, omitting nova.auth. This exposes the upload handler to any unauthenticated visitor who can obtain a CSRF token from the application. Second, the controller performs no validation of file MIME type, extension, or content. Third, the request body accepts an attacker-controlled disk parameter, allowing the uploader to choose the destination Laravel storage disk — including public or s3 disks that may be served over HTTPS.
When these conditions combine in a deployment where the chosen disk maps to a web-served directory, the attacker can request the uploaded file via its public URL. If the file is a .php script and the storage path is within the PHP execution scope, the server interprets and runs the attacker's code. In other deployments the impact is reduced to arbitrary file distribution under a trusted domain, which still enables phishing payload hosting and malware staging.
Root Cause
The root cause is missing authorization on a file-handling route combined with absent server-side input validation. The original route definition applied only the nova middleware, which loads Nova's request context but does not enforce authentication. No allow-list of file types or fixed destination disk was enforced.
Attack Vector
Exploitation requires only network access to the Laravel application and a CSRF token from any reachable page. The attacker crafts a multipart POST request to /nova-tiptap/api/file, supplies the token, sets disk=public (or another writable disk), and attaches a malicious file such as shell.php. No credentials, user interaction, or prior compromise is required.
// Security patch in src/FieldServiceProvider.php
// Adds the missing nova.auth middleware to the upload route group
*/
protected function routes()
{
- Route::middleware(['nova'])
+ Route::middleware(['nova', 'nova.auth'])
->prefix('nova-tiptap/api')
->group(__DIR__ . '/../routes/api.php');
}
Source: GitHub commit fed42d2
Detection Methods for CVE-2025-54082
Indicators of Compromise
- POST requests to /nova-tiptap/api/file originating from unauthenticated sessions or unexpected source IPs.
- New files with executable extensions (.php, .phtml, .phar, .jsp, .aspx) under storage/app/public/ or other writable disk paths.
- Outbound HTTP requests to attacker infrastructure originating from the php-fpm or web server process shortly after a file upload event.
- Files in S3 buckets with public ACLs that do not match the application's normal upload patterns or naming conventions.
Detection Strategies
- Inspect web server access logs for POST traffic to /nova-tiptap/api/file and correlate with the authenticated session state in the Laravel session store.
- Monitor file system events on Laravel storage/ and configured disk roots for creation of files with executable extensions.
- Audit the installed version of marshmallow-packages/nova-tiptap in composer.lock across all Laravel Nova deployments and flag any version below 5.7.0.
Monitoring Recommendations
- Enable detailed request logging on the Nova application and forward events to a centralized analytics platform for retroactive hunting.
- Alert on first-seen file extensions or content types written to public storage disks.
- Track process lineage where the PHP interpreter spawns shells, network utilities, or package managers immediately after web requests targeting the vulnerable route.
How to Mitigate CVE-2025-54082
Immediate Actions Required
- Upgrade marshmallow-packages/nova-tiptap to version 5.7.0 or later using composer update marshmallow-packages/nova-tiptap.
- Review all Laravel disks for unexpected files created since the package was installed, focusing on the public and any S3 disks with public read access.
- Rotate application keys and any credentials that may have been exposed if web shell execution is suspected.
- Restrict direct execution of uploaded content by ensuring storage directories disable PHP execution at the web server level.
Patch Information
The fix is included in marshmallow-packages/nova-tiptap version 5.7.0. The patch applies the nova.auth middleware to the API route group in src/FieldServiceProvider.php and introduces explicit upload configuration in config/nova-tiptap.php, including default storage disk, path, and maximum file size settings. See the GitHub Security Advisory GHSA-96c2-h667-9fxp for advisory details.
Workarounds
- If patching is not immediately possible, add a temporary route override that applies the nova.auth middleware to the /nova-tiptap/api prefix.
- Block requests to /nova-tiptap/api/file at the reverse proxy or web application firewall for any client lacking a valid Nova session cookie.
- Disable public read access on S3 buckets and remove public symlinks for the Laravel public disk until the upgrade is complete.
# Nginx workaround: deny unauthenticated access to the vulnerable endpoint
location = /nova-tiptap/api/file {
if ($cookie_nova_session = "") { return 403; }
proxy_pass http://php-upstream;
}
# Disable PHP execution within Laravel storage paths
location ~* ^/storage/.*\.(php|phtml|phar)$ {
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
