Security issue CVE-2025-22145 in nest/carbon

[musahcoding]

I think right now nest/carbon has a security risk and phpstan-doctrine uses it

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | nesbot/carbon                                                                    |
| Severity          | medium                                                                           |
| CVE               | CVE-2025-22145                                                                   |
| Title             | Carbon has an arbitrary file include via unvalidated input passed to             |
|                   | Carbon::setLocale                                                                |
| URL               | https://github.com/advisories/GHSA-j3f9-p6hm-5w6q                                |
| Affected versions | <2.72.6|>=3.0.0,<3.8.4                                                           |
| Reported at       | 2025-01-08T21:03:28+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

The affected version is 2.49 as I can read in my composer.lock.json

       {
            "name": "phpstan/phpstan-doctrine",
            "version": "1.5.7",
            "source": {
                "type": "git",
                "url": "https://github.com/phpstan/phpstan-doctrine.git",
                "reference": "231d3f795ed5ef54c98961fd3958868cbe091207"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/phpstan/phpstan-doctrine/zipball/231d3f795ed5ef54c98961fd3958868cbe091207",
                "reference": "231d3f795ed5ef54c98961fd3958868cbe091207",
                "shasum": ""
            },
            "require": {
                "php": "^7.2 || ^8.0",
                "phpstan/phpstan": "^1.12.12"
            },
            "conflict": {
                "doctrine/collections": "<1.0",
                "doctrine/common": "<2.7",
                "doctrine/mongodb-odm": "<1.2",
                "doctrine/orm": "<2.5",
                "doctrine/persistence": "<1.3"
            },
            "require-dev": {
                "cache/array-adapter": "^1.1",
                "composer/semver": "^3.3.2",
                "cweagans/composer-patches": "^1.7.3",
                "doctrine/annotations": "^1.11 || ^2.0",
                "doctrine/collections": "^1.6 || ^2.1",
                "doctrine/common": "^2.7 || ^3.0",
                "doctrine/dbal": "^2.13.8 || ^3.3.3",
                "doctrine/lexer": "^2.0 || ^3.0",
                "doctrine/mongodb-odm": "^1.3 || ^2.4.3",
                "doctrine/orm": "^2.16.0",
                "doctrine/persistence": "^2.2.1 || ^3.2",
                "gedmo/doctrine-extensions": "^3.8",
                "nesbot/carbon": "^2.49",
                "nikic/php-parser": "^4.13.2",
                "php-parallel-lint/php-parallel-lint": "^1.2",
                "phpstan/phpstan-phpunit": "^1.3.13",
                "phpstan/phpstan-strict-rules": "^1.5.1",
                "phpunit/phpunit": "^9.6.20",
                "ramsey/uuid": "^4.2",
                "symfony/cache": "^5.4"
            },

To solve it, nest/carbon package should be upgraded to the latest version only 3.8.4

[ondrejmirtes]

The vulnerability is not relevant to this package.

[musahcoding]

Your package is not using an out dated version of the affected package? Your package.json should be updated, or am I missing something?

…

On Tue, Jan 28, 2025, 12:48 PM Ondřej Mirtes ***@***.***> wrote: Closed #640 <#640> as completed. — Reply to this email directly, view it on GitHub <#640 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASQPKZMJVZ7RUVNQYE7Z2GT2M5VBDAVCNFSM6AAAAABWAH7HYOVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJWGA4TCNRXGU3TSNA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[musahcoding]

Please look at the below line @ondrejmirtes :

https://github.com/phpstan/phpstan-doctrine/blob/2.0.x/composer.json#L32