Livewire RCE via Unvalidated File Extension (before 2.12.7/3.5.2)
CVE-2024-47823 Published on October 8, 2024
Livewire Remote Code Execution (RCE) on File Uploads
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a .php file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute .php files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2024-47823
Want to know whenever a new CVE is published for Laravel Livewire? stack.watch will email you.
Affected Versions
livewire:- Version >= 3.0.0-beta.1, < 3.5.2 is affected.
- Version < 2.12.7 is affected.
- Before 3.5.2 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-47823
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | livewire/livewire | < 3.5.2 | 3.5.2 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.