Headline
GHSA-8vwh-pr89-4mw2: Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember()
method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries
trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.
Impact
An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:
- The callable is a function or static method
- The callable has no parameters or no strict parameter types
Vulnerable Components
- The
remember(callable $query, string $key = '')
method inLaravel\Pulse\Livewire\Concerns\RemembersQueries
- Affects all Pulse card components that use this trait
Attack Vectors
The vulnerability can be exploited through Livewire component interactions, for example:
wire:click="remember('\\Illuminate\\Support\\Facades\\Config::all', 'config')"
Credit
Thank you to Jeremy Angele for reporting this vulnerability.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-55661
Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
High severity GitHub Reviewed Published Dec 13, 2024 in laravel/pulse • Updated Dec 13, 2024
Package
composer laravel/pulse (Composer)
Affected versions
< 1.3.1
A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.
Impact
An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:
- The callable is a function or static method
- The callable has no parameters or no strict parameter types
Vulnerable Components
- The remember(callable $query, string $key = ‘’) method in Laravel\Pulse\Livewire\Concerns\RemembersQueries
- Affects all Pulse card components that use this trait
Attack Vectors
The vulnerability can be exploited through Livewire component interactions, for example:
wire:click="remember('\\Illuminate\\Support\\Facades\\Config::all’, ‘config’)"
Credit
Thank you to Jeremy Angele for reporting this vulnerability.
References
- GHSA-8vwh-pr89-4mw2
- https://nvd.nist.gov/vuln/detail/CVE-2024-55661
- laravel/pulse@d1a5bf2
Published to the GitHub Advisory Database
Dec 13, 2024
Last updated
Dec 13, 2024