CVE-2025-22145: 
PHP vulnerability analysis and mitigation

Carbon, an international PHP extension for DateTime, was found to contain a vulnerability (CVE-2025-22145) related to arbitrary file inclusion. The vulnerability affects versions prior to 3.8.4 and 2.72.6, where applications passing unsanitized user input to Carbon::setLocale are at risk. The issue was discovered and disclosed on January 8, 2025 (GitHub Advisory).

The vulnerability stems from improper validation of input passed to the Carbon::setLocale function. If an application allows users to upload files with .php extension in a folder that permits include or require operations, attackers could potentially execute arbitrary code on the server. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (GitHub Advisory).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary code on the server through file inclusion, potentially leading to complete system compromise. The impact is particularly severe for applications that allow file uploads with .php extensions in directories accessible to the include/require functions (GitHub Advisory).

Several mitigation strategies are available: validate input before calling setLocale() by forbidding or removing / and , call setLocale() only with a locale from a whitelist of supported locales, rename uploaded files to prevent .php extensions, or use remote storage systems outside the application's base directory. The issue has been patched in versions 3.8.4 and 2.72.6 (GitHub Advisory, Carbon Commit).