do son 
Source: SonarSource
A recent security analysis by Yaniv Nizry, a vulnerability researcher at SonarSource, has revealed multiple critical vulnerabilities in Voyager, a widely used open-source Laravel admin panel. These flaws allow attackers to perform one-click remote code execution (RCE), arbitrary file deletions, and cross-site scripting (XSS) attacks.
Despite multiple attempts to report these issues to Voyager’s maintainers, no fixes have been issued. SonarSource has therefore publicly disclosed these vulnerabilities under their 90-day responsible disclosure policy.
“We reported the findings to the project maintainers multiple times via emails and GitHub with no reply. We release this information to the public in order to protect users,” Yaniv Nizry wrote.
Voyager, with over 11,000 GitHub stars and millions of downloads, is heavily used in Laravel applications, making these vulnerabilities particularly concerning.
The most critical vulnerability, CVE-2024-55417, stems from an arbitrary file write flaw in Voyager’s media upload component.
How the Attack Works
1️⃣ Attackers exploit a MIME type validation weakness in Voyager’s /admin/media/upload endpoint.
2️⃣ Bypassing security checks, they upload a malicious PHP web shell disguised as an image or video file.
3️⃣ Since Voyager does not verify file extensions, attackers can execute arbitrary PHP code on the server.
“An attacker can craft a polyglot file that appears to be a legitimate file type to the getMimeType function (e.g., an image or video) but actually contains malicious PHP code.”
This vulnerability allows attackers to gain full control over the application, modify databases, steal user credentials, or escalate the attack to complete server takeover.
Voyager’s /admin/compass endpoint is vulnerable to reflected cross-site scripting (XSS) flaw (CVE-2024-55416), allowing attackers to:
- Trigger JavaScript execution when an admin clicks a malicious link.
- Hijack administrator sessions and execute commands on their behalf.
- Combine with CVE-2024-55417 to escalate into full remote code execution.
“If an authenticated user clicks on a specially crafted link, arbitrary JavaScript code can be executed, allowing an attacker to perform actions in the context of the victim.” This client-side vulnerability means an attack could be as simple as sending an email with a malicious link to a site admin.
Another flaw (CVE-2024-55415) in Voyager’s /admin/compass endpoint allows attackers to:
📂 Delete arbitrary files on the server, affecting application stability.
🔍 Steal sensitive configuration files by combining with XSS.
“Arbitrary file deletion can have a severe impact on an application.” Attackers have used file deletion in the past to gain code execution via configuration resets.
This vulnerability could lead to denial-of-service (DoS) conditions, corrupting Laravel installations by deleting crucial system files.
Despite repeated notifications, Voyager’s developers have not issued any patches. With millions of downloads, many Laravel applications are exposed.
“We strongly advise users to carefully consider using this project in their applications and exercise caution when deciding to do so,” SonarSource warns.
