Miggo Logo
Miggo Vulnerability Database
CVE-2022-31279

CVE-2022-31279: Unserialized Pop Chain in Laravel

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-31279
GHSA ID
GHSA-vv7q-mfpc-qgm5
EPSS Score
-
CWE
CWE-502
Published
6/8/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
laravel/laravelcomposer<= 9.1.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability relies on a POP (Property-Oriented Programming) chain combining these two magic methods. The __destruct in PendingBroadcast initiates the chain by interacting with attacker-controlled event objects, while __call in Faker\Generator enables dynamic method dispatch. The provided POC demonstrates how these functions are exploited: PendingBroadcast's destructor triggers operations on a manipulated Faker\Generator object, whose __call method resolves to a dangerous system command. Though the advisory was withdrawn, the technical analysis and exploit code confirm these functions' roles in the chain.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn T*is **visory **s ***n wit**r*wn ****us* it is not * s**urity issu* *n* t** *V* **s ***n r*vok**. ## Ori*in*l **s*ription L*r*v*l *.*.*, w**n pro**ssin* *tt**k*r-*ontroll** **t* *or **s*ri*liz*tion, *llows R*mot* *o** *x**ution (R**) vi

Reasoning

T** vuln*r**ility r*li*s on * POP (Prop*rty-Ori*nt** Pro*r*mmin*) ***in *om*inin* t**s* two m**i* m*t*o*s. T** __**stru*t in P*n*in**ro****st initi*t*s t** ***in *y int*r**tin* wit* *tt**k*r-*ontroll** *v*nt o*j**ts, w*il* __**ll in **k*r\**n*r*tor *