{"vulnerability": "CVE-2025-22145", "sightings": [{"uuid": "bf63479e-e5d7-42b1-bff9-adebfd22309a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-22145", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113794680065130976", "content": "", "creation_timestamp": "2025-01-08T20:43:41.755496Z"}, {"uuid": "ee9ae941-84ab-4131-b9ea-72beabe139c8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-22145", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lfb3is746c2d", "content": "", "creation_timestamp": "2025-01-08T21:15:47.948311Z"}, {"uuid": "35719b1d-c5e4-43bd-922d-e92da79ffdf9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-22145", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/840", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-22145\n\ud83d\udd39 Description: Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.\n\ud83d\udccf Published: 2025-01-08T20:40:37.545Z\n\ud83d\udccf Modified: 2025-01-08T20:40:37.545Z\n\ud83d\udd17 References:\n1. https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q\n2. https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58", "creation_timestamp": "2025-01-08T21:13:58.000000Z"}, {"uuid": "a8a4acfd-5852-455c-bdb0-552f9a26c8a1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-22145", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/5269", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-22145\n\ud83d\udd25 CVSS Score: 6.3 (cvssV4_0, Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N)\n\ud83d\udd39 Description: Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.\n\ud83d\udccf Published: 2025-01-08T20:40:37.545Z\n\ud83d\udccf Modified: 2025-02-25T13:07:45.559Z\n\ud83d\udd17 References:\n1. https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q\n2. https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58", "creation_timestamp": "2025-02-25T13:23:45.000000Z"}, {"uuid": "d5333144-8ad6-4c70-a2e2-d4425c8a8aeb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-22145", "type": "seen", "source": "https://t.me/cvedetector/14737", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-22145 - Carbon PHP DateTime Remote File Include Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-22145 \nPublished : Jan. 8, 2025, 9:15 p.m. | 36\u00a0minutes ago \nDescription : Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"08 Jan 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-08T23:21:21.000000Z"}]}