CVE-2026-48555 spatie CVE debrief

Who should care

Organizations running Laravel applications with Spatie Laravel Media Library versions below 11.23.0, particularly those exposing media upload functionality to untrusted users or operating in cloud environments where metadata service access poses elevated risk.

Technical summary

The `addMediaFromUrl()` method in Spatie Laravel Media Library's `InteractsWithMedia` trait processes user-supplied URLs to fetch remote media. In versions prior to 11.23.0, insufficient URL validation permits attackers to supply crafted URLs targeting internal network addresses, cloud metadata services (e.g., 169.254.169.254), or other restricted endpoints. The server executes these requests with its own network privileges, potentially exposing sensitive data or enabling further lateral movement. The fix in 11.23.0 introduces validation to restrict allowable URL schemes and destinations.

Defensive priority

medium

Recommended defensive actions

• Upgrade Spatie Laravel Media Library to version 11.23.0 or later
• Review application code for direct calls to addMediaFromUrl() with user-supplied input
• Implement network egress filtering to restrict server outbound connectivity
• Audit access logs for anomalous outbound HTTP requests from application servers
• Consider additional URL validation layers for media import functionality if custom wrappers exist

Evidence notes

Vulnerability confirmed via vendor commit and release notes. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges but no user interaction. CWE-918 (Server-Side Request Forgery) classified as primary weakness. No known exploitation in the wild or ransomware campaign use documented at time of disclosure.

Official resources