Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. livewire/livewire
  4. ›
  5. CVE-2024-47823

CVE-2024-47823: Livewire Remote Code Execution on File Uploads

October 8, 2024 (updated October 9, 2024)

In livewire/livewire prior to v2.12.7 and v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., image/png) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack:

  • Filename is composed of the original file name using $file->getClientOriginalName()
  • Files stored directly on your server in a public storage disk
  • Webserver is configured to execute “.php” files

References

  • github.com/advisories/GHSA-f3cx-396f-7jqp
  • github.com/livewire/livewire
  • github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5
  • github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9
  • github.com/livewire/livewire/pull/8624
  • github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp
  • nvd.nist.gov/vuln/detail/CVE-2024-47823

Code Behaviors & Features

Detect and mitigate CVE-2024-47823 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 2.12.7, all versions starting from 3.0.0-beta.1 before 3.5.2

Fixed versions

  • 3.5.2
  • 2.12.7

Solution

Upgrade to versions 2.12.7, 3.5.2 or above.

Impact 7.5 HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-20: Improper Input Validation
  • CWE-434: Unrestricted Upload of File with Dangerous Type

Source file

packagist/livewire/livewire/CVE-2024-47823.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:07 +0000.