CVE-2024-55661: RCE Vulnerability Discovered in Laravel Pulse Monitoring Tool
A serious security flaw has been discovered in Laravel Pulse, a popular real-time application performance monitoring and dashboard tool for Laravel applications. Tracked as CVE-2024-55661, this vulnerability could allow authenticated users with access to the Pulse dashboard to execute arbitrary code on the server, potentially leading to full system compromise.
Laravel Pulse provides developers with valuable insights into application performance, allowing them to identify bottlenecks and monitor usage.
The vulnerability resides within the remember() method of the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method, accessible through Livewire components, can be exploited to execute arbitrary callables (functions or static methods) within the application.
The impact of this vulnerability is significant. An authenticated user with access to the Laravel Pulse dashboard can leverage this flaw to execute arbitrary code on the server. The following criteria must be met for a successful exploit:
- The callable must be a function or a static method.
- The callable must have no parameters or no strictly typed parameters.
This means an attacker could potentially execute system commands, read sensitive files, or even take complete control of the server hosting the Laravel application. Kudos to Jeremy Angele for discovering and reporting this vulnerability.
The vulnerable component is the remember(callable $query, string $key = ”) method within the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This affects all Pulse card components that utilize this trait.
The vulnerability can be triggered through Livewire component interactions. A simple example of an exploit is:
wire:click=”remember(‘\\Illuminate\\Support\\Facades\\Config::all’, ‘config’)”
This example demonstrates how an attacker could use the remember method to call the all method of the Illuminate\Support\Facades\Config facade, potentially revealing sensitive configuration information. However, the impact extends far beyond just reading configuration values; with carefully crafted payloads, an attacker could achieve full remote code execution.
All versions of Laravel Pulse prior to 1.3.1 are affected by this vulnerability. The patched version, 1.3.1, addresses this issue and should be implemented immediately.
