All Carbon CVEs — Complete Vulnerability History
Carbon is PHP's most popular date manipulation library. CVEs here are ReDoS vulnerabilities in date string parsing.
PHP
50M+ weekly downloads
1 CVE total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-22824 | 2022 | MEDIUM | ReDoS via crafted date string | Fixed 2.72.2 |
Current safe version: ^3.3
# Before "nesbot/carbon": "^2.62"
# After "nesbot/carbon": "^3.3"
Then run: composer install
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is Carbon still the best PHP date library?
Carbon remains the standard for Laravel projects. It wraps PHP's built-in DateTime and adds fluent methods. Keep it updated — the ReDoS fix is in 2.72.2+.