Miggo Logo
Miggo Vulnerability Database
CVE-2024-34515

CVE-2024-34515: image-optimizer allows PHAR deserialization

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-34515
GHSA ID
GHSA-6pjm-hmvf-h4rr
EPSS Score
0.35333%
CWE
CWE-502
Published
5/5/2024
Updated
8/21/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
spatie/image-optimizercomposer< 1.7.31.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from file_exists() being called on attacker-controlled input without protocol validation. PHAR deserialization occurs when PHP processes phar:// URIs through filesystem functions. The pre-patch code in Image.php's constructor directly used file_exists($pathToImage) without sanitizing the protocol, allowing malicious phar:// payloads. The patch adds protocol validation (isProtocolAllowed()) before file_exists() to mitigate this.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

im***-optimiz*r ***or* *.*.* *llows P**R **s*ri*liz*tion, *.*., t** `p**r://` proto*ol in *r*um*nts to `*il*_*xists()`.

Reasoning

T** vuln*r**ility st*ms *rom *il*_*xists() **in* **ll** on *tt**k*r-*ontroll** input wit*out proto*ol v*li**tion. P**R **s*ri*liz*tion o**urs w**n P*P pro**ss*s p**r:// URIs t*rou** *il*syst*m *un*tions. T** pr*-p*t** *o** in Im***.p*p's *onstru*tor