Livewire Fixes Validation Vulnerability in Laravel
CVE-2024-47823

7.7HIGH

Key Information:

Vendor

Livewire

Status
Livewire
Vendor
CVE Published:
8 October 2024

What is CVE-2024-47823?

The Livewire framework for Laravel contains a vulnerability where file extensions of uploaded files are determined based on their MIME types, without proper validation of the actual file extension. This flaw allows an attacker to exploit the system by uploading a malicious file that appears benign (such as an image) but is actually a PHP file, triggering potential remote code execution. This security issue arises when the filename is derived from the original file name, and if the files are stored in a publicly accessible directory on the server where PHP execution is enabled. The issue has been resolved in versions 2.12.7 and 3.5.2; users are urged to update their systems immediately.

Affected Version(s)

livewire >= 3.0.0-beta.1, < 3.5.2 < 3.0.0-beta.1, 3.5.2

livewire < 2.12.7 < 2.12.7

References

https://github.com/livewire/livewire/security/advisories/...
x_refsource_CONFIRM
https://github.com/livewire/livewire/pull/8624
x_refsource_MISC
https://github.com/livewire/livewire/commit/70503b79f5db7...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2024-47823 : Livewire Fixes Validation Vulnerability in Laravel