spatie/image-optimizer is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to a lack of file protocol checks before it’s passed to the file_exists()
function. This allows attackers to use the phar://
protocol to deserialize a malicious script, which results in Remote Code Execution (RCE).
CPE | Name | Operator | Version |
---|---|---|---|
spatie/image-optimizer | le | 1.7.2 | |
spatie/image-optimizer | le | 1.7.2 |