TL;DR

Image uploads aren't just images. A JPEG can carry a PHP web shell in its EXIF comment and still pass MIME checks, extension checks, and even getimagesize(). If that file ever lands somewhere executable - a misconfigured public/uploads, a .htaccess override, a chained LFI - you've got remote code execution.

laravel-at/laravel-image-sanitize is a small middleware that scans uploaded images for payload markers (<?php, phar) and re-encodes anything suspicious through Intervention Image, stripping the payload before your controller ever sees the file.

composer require laravel-at/laravel-image-sanitize

Enter fullscreen mode