GHSA-69rh-hccr-cxrj: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-69rh-hccr-cxrj) was identified in the Laravel Rest API package (lomkit/laravel-rest-api) affecting versions prior to 2.13.0. This search validation bypass vulnerability was discovered and disclosed on May 25, 2025, with an update published to the GitHub Advisory Database on May 27, 2025. The vulnerability received a CVSS score of 6.6 (Moderate severity) and was assigned CVE-2025-48490 (GitHub Advisory).

The vulnerability stems from a flaw in how the framework handles multiple validation rules for the same attribute across different contexts (index, store, and update actions). The issue occurs when multiple validations defined for the same attribute could be silently overridden, allowing malicious actors to bypass expected validation rules. The vulnerability is characterized by a Network attack vector with Low attack complexity, requiring No privileges or user interaction for exploitation (GitHub Advisory).

The vulnerability could lead to unauthorized data being accepted or processed by the API, depending on the context in which the validation was bypassed. According to the CVSS metrics, while there is no impact on confidentiality and availability, the vulnerability poses a High integrity impact on the vulnerable system (GitHub Advisory).

The vulnerability has been patched in version 2.13.0 of the Laravel Rest API package. The fix was implemented through PR #172, which ensures that multiple rule definitions are merged correctly rather than being overwritten. Users should upgrade to version 2.13.0 or later to mitigate this vulnerability (GitHub Advisory, GitHub PR).