CVE-2024-47823

Livewire Remote Code Execution (RCE) on File Uploads

Severity Score

7.7

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

NVD
MITRE

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire `< v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release version 3.5.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.

*Credits: N/A

CVSS Scores

GitHubv4 7.7

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

Low

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-10-03 CVE Reserved
2024-10-08 CVE Published
2024-10-09 CVE Updated
2024-10-10 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (4)

URL	Tag	Source
https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5	X_refsource_misc
https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp	X_refsource_confirm
https://github.com/livewire/livewire/pull/8624	X_refsource_misc
https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Livewire Search vendor "Livewire"		Livewire Search vendor "Livewire" for product "Livewire"				>= 3.0.0 < 3.5.2 Search vendor "Livewire" for product "Livewire" and version " >= 3.0.0 < 3.5.2"		en		Affected
Livewire Search vendor "Livewire"		Livewire Search vendor "Livewire" for product "Livewire"				< 2.12.7 Search vendor "Livewire" for product "Livewire" and version " < 2.12.7"		en		Affected