CVE-2025-66509
CRITICALLaraDashboard < 2.3.0 - Unauthenticated Arbitrary Code Execution via Host Header Spoofing
Title source: llmDescription
LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator’s reset token to an attacker-controlled server. This can be combined with the module installation process to automatically execute the ServiceProvider::boot() method, enabling arbitrary PHP code execution.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/laradashboard/laradashboard/security/advisories/GHSA-j9mm-c9cj-pc82
Scores
CVSS v3
9.8
EPSS
0.0034
EPSS Percentile
26.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-284
Status
published
Products (1)
laradashboard/lara_dashboard
< 2.3.0
Published
Dec 04, 2025
Tracked Since
Feb 18, 2026