HIGH 7.4

CVE-2026-48555: Spatie Laravel Media Library SSRF Vulnerability – Patch Now

Spatie's Laravel Media Library, a popular file management package for Laravel applications, contains a server-side request forgery (SSRF) vulnerability in versions prior to 11.23.0. The flaw exists in the addMediaFromUrl() method, which accepts user-controlled URLs without proper validation. An attacker with authenticated access can exploit this to force the server to make arbitrary outbound HTTP requests on their behalf, potentially reaching internal systems, cloud metadata endpoints, or external targets that the server can access but the attacker cannot directly reach.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is classified as CWE-918 (Server-Side Request Forgery). The addMediaFromUrl() method in InteractsWithMedia.php fails to validate or sanitize URLs passed by authenticated users. An attacker can supply malformed, internal, or otherwise restricted URLs to trigger unintended server-side HTTP requests. The CVSS 3.1 score of 7.4 (HIGH) reflects the network-accessible nature of the vulnerability, low attack complexity, and the requirement for authenticated access. The impact includes confidentiality loss (information disclosure via response inspection), integrity loss (potential for indirect modification through chained attacks), and availability loss through resource exhaustion or targeting of critical services.

Business impact

Organizations using Laravel Media Library face several risks. An authenticated attacker—whether a compromised internal user account or a threat actor with legitimate credentials—could conduct reconnaissance of internal infrastructure, access cloud metadata services to steal credentials, enumerate internal services, or launch attacks against third-party systems. In multi-tenant SaaS environments, this could allow cross-tenant exploitation if the application shares infrastructure. Supply chain implications exist if the package is embedded in commercial products or widely deployed applications. Incident response and forensic investigation costs may be significant if the vulnerability is leveraged for lateral movement or data exfiltration.

Affected systems

Any application using Spatie Laravel Media Library version 11.22.0 and earlier is vulnerable. The package is widely used in Laravel ecosystems for handling media uploads and storage. Organizations should inventory deployments across their codebase, including third-party dependencies and embedded versions. Vulnerability scanning tools may have limited visibility into transitive dependencies, so dependency trees must be manually reviewed or automated tooling applied.

Exploitability

Exploitation requires authenticated access to an application endpoint that calls addMediaFromUrl(). This is a meaningful constraint—it eliminates unauthenticated remote exploitation but does not eliminate risk. Many applications expose this functionality to logged-in users for avatar uploads, media galleries, or content management. Exploitation is straightforward once authenticated: submit a crafted URL and trigger the function. No user interaction is required beyond initial authentication. The vulnerability is not reported to be exploited in the wild as of the published date, and it has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Update Spatie Laravel Media Library to version 11.23.0 or later. This version contains patches that validate and sanitize URL inputs before processing. Organizations should apply this update immediately in development and staging environments, then coordinate production deployment within their change management process. For applications unable to update immediately, restrict network-level access to the addMediaFromUrl() functionality, implement input validation at the application level, and monitor outbound HTTP requests for anomalous destinations.

Patch guidance

Verify the current installed version of Spatie Laravel Media Library by checking composer.lock or running 'composer show spatie/laravel-media-library'. Update to version 11.23.0 or later via 'composer update spatie/laravel-media-library' in your project root. After updating, run your test suite to ensure compatibility with your application. Review your change logs and release notes from the vendor to confirm no breaking changes affect your media handling workflows. Test the addMediaFromUrl() method with both valid and malformed URLs to confirm the patch behaves as expected. Deploy through your normal release pipeline with appropriate testing and staging validation.

Detection guidance

Monitor application logs for unexpected or suspicious outbound HTTP requests initiated by the addMediaFromUrl() method. Look for requests to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), cloud metadata endpoints (169.254.169.254, etc.), or unusual external domains. Network-level monitoring of egress traffic from application servers may reveal SSRF attempts. Implement rate limiting or throttling on media upload endpoints to reduce the window for exploitation. Web application firewalls (WAF) can be configured to block requests containing known internal IP ranges or metadata service URIs in URL parameters. Correlate authentication logs with unusual outbound traffic to identify compromised accounts.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH severity, authenticated attack vector, and potential for lateral movement or data exfiltration. While it requires authentication, many organizations cannot easily revoke or audit all legitimate access to media upload features. The patch is available, straightforward to apply, and carries minimal compatibility risk. Organizations with internet-facing Laravel applications or multi-tenant deployments should prioritize this update to prevent account compromise or infrastructure reconnaissance. The lack of KEV listing or active exploitation does not diminish urgency—proactive patching is the efficient response.

Risk score, explained

The CVSS 3.1 score of 7.4 (HIGH) reflects: network accessibility (AV:N), low attack complexity (AC:L), requirement for low privileges—authenticated user access (PR:L), changed scope (S:C) indicating potential impact beyond the vulnerable component, and partial impacts across confidentiality, integrity, and availability (C:L/I:L/A:L). The score appropriately weights the practical risk: an attacker must authenticate, but once authenticated, exploitation is trivial and impact is significant. Organizations should not interpret the 'L' (Low) impact ratings as negligible; in CVSS, 'L' means partial impact, and three partial impacts plus changed scope produces a substantial risk score.

Frequently asked questions

Our Laravel app uses Laravel Media Library to let users upload avatars. Are we vulnerable?

Yes, if your installed version is below 11.23.0. The vulnerability exists in the addMediaFromUrl() method specifically. If you only use direct file uploads (not URL imports), your exposure is limited to authenticated users who have access to import media from URLs. Review your application code to confirm whether addMediaFromUrl() is exposed to users and whether version 11.23.0 is available in your environment.

We have this package as a transitive dependency. Do we need to update?

Yes. Even if you do not directly call addMediaFromUrl(), a third-party package or extension you depend on may call it. Run 'composer show spatie/laravel-media-library' and check the version. If it is below 11.23.0, update your root package or the package that depends on Media Library. Transitive dependencies are part of your attack surface and must be kept current.

What is the difference between SSRF and regular request forgery?

SSRF forces the server itself to make requests, typically to internal or restricted destinations. Regular request forgery (CSRF) tricks a user into making requests on their own behalf. SSRF is dangerous because the attacker leverages the server's network position and credentials. In this case, an attacker can reach internal APIs, cloud metadata endpoints, or other services that the server can access but the outside world cannot.

We use a WAF in front of our application. Does that protect us?

A WAF can help but is not a substitute for patching. A WAF might block obviously malicious URL patterns, but it cannot inspect all HTTP requests made by the server after it processes user input. Patching the vulnerable package to version 11.23.0 is the definitive fix. WAF rules should be layered as defense-in-depth but not relied upon as the primary control.

This analysis is provided for informational purposes based on available CVE data and vendor advisories. No guarantee is made regarding completeness or accuracy of patch information. Organizations should verify patch availability and compatibility in their specific environments before deployment. This vulnerability is not currently listed on the CISA KEV catalog and is not reported to be actively exploited; however, proactive patching is strongly recommended. Security controls and remediations discussed are general guidance and do not constitute professional security advice. Consult your security team, vendor documentation, and change management procedures before deploying updates to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).