HIGH 7.4
GHSA-fggg-964j-3j7h
Spatie Laravel Media Library contains a server-side request forgery vulnerability
Details
Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / spatie/laravel-medialibrary
Introduced in:
0 Fixed in: 11.23.0 Fix
composer require spatie/laravel-medialibrary:^11.23.0 References
- https://nvd.nist.gov/vuln/detail/CVE-2026-48555 [ADVISORY]
- https://github.com/spatie/laravel-medialibrary/pull/3939 [WEB]
- https://github.com/spatie/laravel-medialibrary/commit/608ea03703d3887c46434f5dda6af56de6346aba [WEB]
- https://github.com/spatie/laravel-medialibrary [PACKAGE]
- https://github.com/spatie/laravel-medialibrary/releases/tag/11.23.0 [WEB]
- https://www.vulncheck.com/advisories/spatie-laravel-media-library-ssrf-via-addmediafromurl [WEB]