Platform
laravel
Component
pxlrbt/filament-excel
Fixed in
2.0.1
1.1.15
CVE-2024-42485 describes a Path Traversal vulnerability within Filament Excel, a library enabling Excel export functionality for Filament admin resources. This flaw allows unauthorized users to download arbitrary files from the server if the webserver permits the use of ../ in the URL. The vulnerability impacts versions 2.0.0 and above, up to, but not including, version 2.3.3. A patch has been released in version 2.3.3.
The core of the vulnerability lies in the /filament-excel/{path} export download route. Due to insufficient input validation, an attacker can manipulate the {path} parameter to include directory traversal sequences (e.g., ../../../../etc/passwd). This allows them to bypass authentication and access sensitive files on the server's file system. The potential impact includes exposure of configuration files, database credentials, source code, and other confidential data. Successful exploitation could lead to complete compromise of the server and its associated data. This vulnerability is particularly concerning given the common use of Filament in web applications, potentially impacting a large number of deployments.
CVE-2024-42485 was publicly disclosed on August 12, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.74% (73% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-42485 is to immediately upgrade Filament Excel to version 2.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences in the /filament-excel/{path} route. Specifically, block requests containing ../ in the path parameter. Additionally, ensure that the webserver is configured to disallow directory traversal sequences in URLs. After upgrading, confirm the fix by attempting to access a non-public file via the /filament-excel/{path} route – the request should be denied.
Update the `pxlrbt/filament-excel` package to version 2.3.3 or higher. This can be done using Composer by running `composer update pxlrbt/filament-excel`. Ensure you clear the application cache after the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-42485 is a Path Traversal vulnerability in Filament Excel, allowing attackers to download arbitrary files without authentication.
You are affected if you are using Filament Excel versions 2.0.0 through 2.3.2 and your webserver allows ../ in URLs.
Upgrade to Filament Excel version 2.3.3 or later. As a temporary workaround, implement a WAF rule to block requests with ../ in the path.
There is currently no indication of active exploitation campaigns targeting this vulnerability.
Refer to the Filament security advisory for detailed information and updates: https://filamentphp.com/docs/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.