N/A

CVSS Score

Basic Information

CVE ID

CVE-2024-55661

GHSA ID

GHSA-8vwh-pr89-4mw2

EPSS Score

0.83274%

CWE

CWE-94

Published

12/13/2024

Updated

12/17/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-55661

CVE-2024-55661: Laravel Pulse Allows Remote Code Execution via Unprotected Query Method

A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.

Impact

An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:

The callable is a function or static method
The callable has no parameters or no strict parameter types

Vulnerable Components

The remember(callable $query, string $key = '') method in Laravel\Pulse\Livewire\Concerns\RemembersQueries
Affects all Pulse card components that use this trait

Attack Vectors

The vulnerability can be exploited through Livewire component interactions, for example:

wire:click="remember('\\Illuminate\\Support\\Facades\\Config::all', 'config')"

Credit

Thank you to Jeremy Angele for reporting this vulnerability.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2024-55661

GHSA ID

GHSA-8vwh-pr89-4mw2

EPSS Score

0.83274%

CWE

CWE-94

Published

12/13/2024

Updated

12/17/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
laravel/pulse	composer	< 1.3.1	1.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the remember() method being publicly accessible in Livewire components. The commit diff shows this method's visibility was changed from public to protected to fix the issue. As a public method handling user-controlled callables without proper validation, it enabled code injection (CWE-94) by allowing attackers to execute arbitrary functions like \Illuminate\Support\Facades\Config::all. The NVD description and GHSA advisory explicitly identify this method as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n *is*ov*r** in L*r*v*l Puls* t**t *oul* *llow r*mot* *o** *x**ution t*rou** t** pu*li* `r*m*m**r()` m*t*o* in t** `L*r*v*l\Puls*\Liv*wir*\*on**rns\R*m*m**rsQu*ri*s` tr*it. T*is m*t*o* is ****ssi*l* vi* Liv*wir* *ompon*nts *n*

Reasoning

T** vuln*r**ility st*ms *rom t** r*m*m**r() m*t*o* **in* pu*li*ly ****ssi*l* in Liv*wir* *ompon*nts. T** *ommit *i** s*ows t*is m*t*o*'s visi*ility w*s ***n*** *rom pu*li* to prot**t** to *ix t** issu*. *s * pu*li* m*t*o* **n*lin* us*r-*ontroll** **l

N/A

Basic Information

Concerned about an active attack path?

CVE-2024-55661: Laravel Pulse Allows Remote Code Execution via Unprotected Query Method

Impact

Vulnerable Components

Attack Vectors

Credit

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI