CVE-2024-47823: Livewire Remote Code Execution on File Uploads
(updated )
In livewire/livewire prior to v2.12.7
and v3.5.2
, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., image/png
) and a “.php” file extension.
If the following criteria are met, the attacker can carry out an RCE attack:
- Filename is composed of the original file name using
$file->getClientOriginalName()
- Files stored directly on your server in a public storage disk
- Webserver is configured to execute “.php” files
References
- github.com/advisories/GHSA-f3cx-396f-7jqp
- github.com/livewire/livewire
- github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5
- github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9
- github.com/livewire/livewire/pull/8624
- github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp
- nvd.nist.gov/vuln/detail/CVE-2024-47823
Detect and mitigate CVE-2024-47823 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →