Exploiting Livewire: CVE-2024-47823 Puts Laravel Apps at Risk

by do son · October 9, 2024

A newly discovered vulnerability, CVE-2024-47823, has been identified in Livewire, a popular full-stack framework for Laravel used to build dynamic UI components without leaving PHP. This security flaw, which received a CVSS score of 7.7, allows attackers to exploit file uploads and achieve Remote Code Execution (RCE) on affected systems.

Livewire simplifies the development of dynamic user interfaces by integrating seamlessly with Laravel. However, this convenience has led to a significant flaw in how Livewire handles file uploads in versions prior to v3.5.2.

In these vulnerable versions, the file extension of an uploaded file is guessed based on its MIME type rather than being validated against its actual file extension. This means an attacker can upload a file with a valid MIME type, such as image/png, but use a dangerous file extension like .php. If the system’s web server is configured to execute PHP files, this loophole opens the door for Remote Code Execution.

Security researcher Jeremy Angele, who reported the flaw, described how attackers could take advantage of the Livewire vulnerability under specific conditions:

Filename is composed of the original file name using $file->getClientOriginalName()
Files stored directly on your server in a public storage disk
Webserver is configured to execute “.php” files

In a Proof of Concept (PoC) scenario, Angele demonstrated how an attacker could upload a file named shell.php with a MIME type of image/png. Upon uploading the file, the attacker can trigger its execution by accessing it via a browser, gaining remote access to the server.

class SomeComponent extends Component
{
    use WithFileUploads;

    #[Validate('image|extensions:png')]
    public $file;

    public function save()
    {
        $this->validate();

        $this->file->storeAs(
            path: 'images',
            name: $this->file->getClientOriginalName(),
            options: ['disk' => 'public'],
        );
    }
}

PoC

CVE-2024-47823 was patched in Livewire version 3.5.2. The patch includes stricter validation of file extensions during uploads, ensuring that files with mismatched MIME types and extensions are blocked.

To protect your systems, it is crucial to update to the latest version of Livewire immediately. Developers are also advised to configure their web servers to prevent PHP execution in public directories and to thoroughly validate both the MIME type and file extension during file uploads.