CVE-2025-48490: 
PHP vulnerability analysis and mitigation

CVE-2025-48490 is a validation bypass vulnerability discovered in Laravel Rest API (lomkit/laravel-rest-api) affecting versions prior to 2.13.0. The vulnerability was discovered and disclosed on May 25, 2025. The issue affects how the framework handles validation rules across multiple contexts such as index, store, and update actions, where multiple validations defined for the same attribute could be silently overridden (GitHub Advisory, Wiz).

The vulnerability occurs when multiple validations defined for the same attribute could be silently overridden. Due to the framework's handling of validation rule merging across different contexts, malicious actors could craft requests that bypass expected validation rules. The vulnerability has been assigned a CVSS v4.0 base score of 6.6 (Moderate) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U (GitHub Advisory).

The vulnerability could lead to unauthorized data being accepted or processed by the API, depending on the context in which the validation was bypassed. This could potentially allow attackers to inject unexpected or dangerous parameters into the application (GitHub Advisory, Wiz).

The vulnerability has been patched in version 2.13.0. The fix was implemented in PR #172, which ensures that multiple rule definitions are merged correctly rather than being overwritten. Users are advised to upgrade to version 2.13.0 or later to address this security issue (GitHub Advisory).