Advisories for Composer/Laravel/Reverb package

This vulnerability affects Laravel Reverb versions prior to v1.7.0 when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication. With horizontal scaling enabled, Reverb servers communicate via Redis PubSub. Reverb previously passed data from the Redis channel directly into PHP’s unserialize() function without restricting which classes could be instantiated. Risk: Remote Code Execution (RCE)

A community member disclosed an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as broadcasting a message from a backend service or for obtaining statistical information (such as number of connections) about a given channel. The verification signature is a hash comprised of different parts of the request signed by the app's secret key. The signature …