CVE-2024-55661: Laravel Pulse Allows Remote Code Execution via Unprotected Query Method

December 13, 2024 (updated December 17, 2024)

A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.

References

github.com/advisories/GHSA-8vwh-pr89-4mw2
github.com/laravel/pulse
github.com/laravel/pulse/commit/d1a5bf2eca36c6e3bedb4ceecd45df7d002a1ebc
github.com/laravel/pulse/security/advisories/GHSA-8vwh-pr89-4mw2
nvd.nist.gov/vuln/detail/CVE-2024-55661

Code Behaviors & Features

Detect and mitigate CVE-2024-55661 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →