## https://sploitus.com/exploit?id=5A69C9F3-E803-51EB-B5DE-582254FF24EE
# CVE-2025-65345 โ Authenticated Path Traversal From Zip Function Leading to Filesystem Disclosure in laravel-file-manager v3.3.1
## ๐งญ Overview
An authenticated Directory Traversal vulnerability in laravel-file-manager v3.3.1 and below allows attackers with access to the file manager interface to use zip/archiving function to create archives containing files and directories outside the intended scope due to improper path validation.
## ๐งฑ Affected Component
- **Project:** `laravel-file-manager`
- **Component:** zip/archiving Functionf
- **Affected version:** **v3.3.1 and below**
## ๐ฏ Attack Vectors
1. Upload or select a folder/file within the file manager GUI.
2. Manipulate the ZIP request payload to include directory traversal sequences such as ../../../../../../../../../var/www or passwd file
3. Trigger ZIP creation, causing the backend to recursively resolve paths outside the allowed storage directory.
4. Download the generated ZIP, which now contains sensitive files from arbitrary locations on the server.
๐ฅ Impact
- Arbitrary File Disclosure: Attackers can retrieve sensitive files such as environment configs (.env), SSH keys, configuration files, log files, and application secrets.
- Privilege Escalation: Disclosure of sensitive credentials can assist in expanding access beyond the application layer.
- Lateral Exploitation Risk: Access to filesystem-level data may expose secrets enabling database access, RCE chains, or full service compromise.
๐ก๏ธ Recommended Remediation
- Implement canonical path validation: Normalize requested file paths and enforce a strict restriction to the projectโs designated storage root.
- Reject any path containing traversal sequences (../, %2e%2e/, nested traversal).
- Apply server-side allowlist logic: Only permit ZIP creation from known, explicitly allowed directories.
- Update to a patched version once the vendor releases a fix addressing this path traversal weakness.
> ## ๐ Credits
> Discovered and reported by: **Chindanai Klabtung, Chayawat Jeamprasertboon, Thanakorn Boontem, Theethat Thamwasin**
---