TL;DR
Image uploads aren't just images. A JPEG can carry a PHP web shell in its EXIF comment and still pass MIME checks, extension checks, and even getimagesize(). If that file ever lands somewhere executable - a misconfigured public/uploads, a .htaccess override, a chained LFI - you've got remote code execution.
laravel-at/laravel-image-sanitize is a small middleware that scans uploaded images for payload markers (<?php, phar) and re-encodes anything suspicious through Intervention Image, stripping the payload before your controller ever sees the file.
composer require laravel-at/laravel-image-sanitize
Enter fullscreen mode






