Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in the FileAdder::defaultSanitizer() method. The sanitizer validates only the final filename suffix, enabling double-extension filenames such as shell.php.jpg to bypass the blocklist. The pathinfo() function preserves inner .php stems in saved filenames. The blocklist also omits executable extensions including .p [truncated]
A server-side request forgery (SSRF) vulnerability exists in Spatie Laravel Media Library before version 11.23.0. The `addMediaFromUrl()` method in `InteractsWithMedia.php` accepts user-controlled URLs without adequate validation, allowing remote attackers to induce the server to issue arbitrary outbound HTTP requests. This can enable unauthorized access to internal services, cloud metadata endpoints, or [truncated]
