Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8vwh-pr89-4mw2: Laravel Pulse Allows Remote Code Execution via Unprotected Query Method

A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.

Impact

An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:

  • The callable is a function or static method
  • The callable has no parameters or no strict parameter types

Vulnerable Components

  • The remember(callable $query, string $key = '') method in Laravel\Pulse\Livewire\Concerns\RemembersQueries
  • Affects all Pulse card components that use this trait

Attack Vectors

The vulnerability can be exploited through Livewire component interactions, for example:

wire:click="remember('\\Illuminate\\Support\\Facades\\Config::all', 'config')"

Credit

Thank you to Jeremy Angele for reporting this vulnerability.

ghsa
#vulnerability#git#php#rce#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-55661

Laravel Pulse Allows Remote Code Execution via Unprotected Query Method

High severity GitHub Reviewed Published Dec 13, 2024 in laravel/pulse • Updated Dec 13, 2024

Package

composer laravel/pulse (Composer)

Affected versions

< 1.3.1

A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.

Impact

An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:

  • The callable is a function or static method
  • The callable has no parameters or no strict parameter types

Vulnerable Components

  • The remember(callable $query, string $key = ‘’) method in Laravel\Pulse\Livewire\Concerns\RemembersQueries
  • Affects all Pulse card components that use this trait

Attack Vectors

The vulnerability can be exploited through Livewire component interactions, for example:

wire:click="remember('\\Illuminate\\Support\\Facades\\Config::all’, ‘config’)"

Credit

Thank you to Jeremy Angele for reporting this vulnerability.

References

  • GHSA-8vwh-pr89-4mw2
  • https://nvd.nist.gov/vuln/detail/CVE-2024-55661
  • laravel/pulse@d1a5bf2

Published to the GitHub Advisory Database

Dec 13, 2024

Last updated

Dec 13, 2024

ghsa: Latest News

GHSA-cmwp-442x-3rcv: Piranha CMS Cross-site Scripting vulnerability