SCA: security update for marshmallow/nova-tiptap (GHSA-96c2-h667-9fxp)

critical Tenable Cloud Security Plugin ID 428605

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- marshmallow-packages/nova-tiptap is a rich text editor for Laravel Nova based on tiptap. Prior to 5.7.0, a
vulnerability was discovered in the marshmallow-packages/nova-tiptap Laravel Nova package that allows
unauthenticated users to upload arbitrary files to any Laravel disk configured in the application. The
vulnerability is due to missing authentication middleware (Nova and Nova.Auth) on the /nova-
tiptap/api/file upload endpoint, the lack of validation on uploaded files (no MIME/type or extension
restrictions), and the ability for an attacker to choose the disk parameter dynamically. This means an
attacker can craft a custom form and send a POST request to /nova-tiptap/api/file, supplying a valid CSRF
token, and upload executable or malicious files (e.g., .php, binaries) to public disks such as local,
public, or s3. If a publicly accessible storage path is used (e.g. S3 with public access, or Laravel’s
public disk), the attacker may gain the ability to execute or distribute arbitrary files — amounting to a
potential Remote Code Execution (RCE) vector in some environments. This vulnerability was fixed in 5.7.0.
(CVE-2025-54082)

See Also

https://github.com/advisories/GHSA-96c2-h667-9fxp

Plugin Details

Severity: Critical

ID: 428605

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 7/22/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.49

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-54082

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/21/2025

Vulnerability Publication Date: 7/21/2025

Reference Information

CVE: CVE-2025-54082

cwe: CWE-434