cbcvebase.
CVE-2024-55555
published 2025-01-07

CVE-2024-55555: Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
6.50%
92.9th percentile
Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.

Detection & IOCsextracted from sources · hover to see the quote

urlroute/{hash}
pathinvoiceninja/routes/client.php
  • Monitor unauthenticated HTTP requests to the /route/{hash} endpoint; any POST/GET to this path without a session should be treated as suspicious, especially if the hash parameter contains a Laravel-encrypted serialized payload.
  • Alert on deserialization of Laravel ciphered values arriving via the pre-authenticated /route/ endpoint; gadget chain execution will typically manifest as unexpected child processes spawned from the PHP/web-server process.
  • Detect exposure of the .env file over HTTP (e.g., GET /.env returning 200); a leaked APP_KEY is a prerequisite for exploiting this vulnerability.
  • Flag Invoice Ninja instances running versions >= 5.8.22 and < 5.10.43 as vulnerable; the Metasploit module targets this range.
  • ·Exploitation requires the attacker to know the APP_KEY; default APP_KEY values shipped in the repository's .env files dramatically lower this bar — ensure APP_KEY is rotated and .env is not publicly accessible.
  • ·The Metasploit module targets Linux HTTP deployments; adjust detection scope if Invoice Ninja is deployed on other platforms.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.