CVE-2024-47823

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5	Patch
https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9	Patch
https://github.com/livewire/livewire/pull/8624	Patch Issue Tracking
https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:laravel:livewire::::::::
	cpe:2.3:a:laravel:livewire::::::::

History

No history.

Information

Published : 2024-10-08 18:15

Updated : 2025-03-06 18:06

NVD link : CVE-2024-47823

Mitre link : CVE-2024-47823

CVE.ORG link : CVE-2024-47823

JSON object : View

Products Affected

laravel

livewire

CWE

CWE-20

Improper Input Validation

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-47823", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-10-08T18:15:31.370", "references": [{"url": "https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/livewire/livewire/pull/8624", "tags": ["Patch", "Issue Tracking"], "source": "[email protected]"}, {"url": "https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a \u201c.php\u201d file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute \u201c.php\u201d files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Livewire es un framework full-stack para Laravel que permite componentes de UI din\u00e1micos sin salir de PHP. En livewire/livewire `< v3.5.2`, la extensi\u00f3n de archivo de un archivo cargado se adivina en funci\u00f3n del tipo MIME. Como resultado, la extensi\u00f3n de archivo real del nombre de archivo no se valida. Por lo tanto, un atacante puede eludir la validaci\u00f3n cargando un archivo con un tipo MIME v\u00e1lido (por ejemplo, `image/png`) y una extensi\u00f3n de archivo \u201c.php\u201d. Si se cumplen los siguientes criterios, el atacante puede llevar a cabo un ataque RCE: 1. El nombre de archivo est\u00e1 compuesto por el nombre de archivo original utilizando `$file->getClientOriginalName()`. 2. Archivos almacenados directamente en su servidor en un disco de almacenamiento p\u00fablico. 3. El servidor web est\u00e1 configurado para ejecutar archivos \u201c.php\u201d. Este problema se ha solucionado en la versi\u00f3n de lanzamiento 3.5.2. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."}], "lastModified": "2025-03-06T18:06:52.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6446531-ADA1-4E07-927F-1AB6E0169262", "versionEndExcluding": "2.12.7"}, {"criteria": "cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8834EF93-2302-41B4-A5D2-2918D4740BB3", "versionEndExcluding": "3.5.2", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}