CVE-2024-55661
published 2024-12-13CVE-2024-55661: Laravel Pulse is a real-time application performance monitoring tool and dashboard for Laravel applications. A vulnerability has been discovered in Laravel…
PriorityP273high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
28.57%
97.9th percentile
Laravel Pulse is a real-time application performance monitoring tool and dashboard for Laravel applications. A vulnerability has been discovered in Laravel Pulse prior to version 1.3.1 that could allow remote code execution through the public `remember()` method in the `Laravel\Pulse\Livewire\Concerns\RemembersQueries` trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application. An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method in which the callable is a function or static method and the callable has no parameters or no strict parameter types. The vulnerable to component is `remember(callable $query, string $key = '')` method in `Laravel\Pulse\Livewire\Concerns\RemembersQueries`, and the vulnerability affects all Pulse card components that use this trait. Version 1.3.1 contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| laravel | pulse | < 1.3.1 | 1.3.1 |
| laravel | pulse | >= 0 < 1.3.1 | 1.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /livewire/message/<component> with JSON body: {"type": "callMethod", "method": "remember", "params": ["<callable>", "<key>"], "id": "<component_id>", "name": "<component>"}↗
- →Detect exploit attempts by monitoring POST requests to the /livewire/message/ endpoint that contain a JSON body with 'method': 'remember' and a 'type': 'callMethod' — this is the specific Livewire wire call abused in this CVE. ↗
- →Flag HTTP requests to /livewire/message/* that include the 'X-Livewire: true' header combined with a JSON body invoking the 'remember' method, as this is the attack vector for CVE-2024-55661. ↗
- →Alert on Livewire requests where the 'params' array contains fully-qualified PHP static method strings (e.g. '\Illuminate\Support\Facades\Config::all'), as these are the callables being injected via the remember() method. ↗
- →The vulnerable code path is the public remember() method in the RemembersQueries trait, accessible via all Pulse card Livewire components. Monitor for callMethod Livewire requests targeting 'remember' on any Pulse component. ↗
- ·Exploitation requires the attacker to be an authenticated user with access to the Laravel Pulse dashboard — unauthenticated exploitation is not possible. ↗
- ·The callable invoked must have no parameters or no strict parameter types — not all PHP callables/static methods are exploitable, limiting the attack surface to loosely-typed or zero-argument methods. ↗
- ·The PoC exploit script title references version 1.3.1 in its title but was tested against v1.2.0; the fix is contained in version 1.3.1. Ensure version checks target < 1.3.1 as vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
ghsa·2024-12-13
CVE-2024-55661 [HIGH] CWE-94 Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public `remember()` method in the `Laravel\Pulse\Livewire\Concerns\RemembersQueries` trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.
### Impact
An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:
- The callable is a function or static method
- The callable has no parameters or no strict parameter types
### Vulnerable Components
- The `remember(callable $query, string $key = '')` method in `Laravel\Pulse\Livewire\Concerns
OSV
Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
osv·2024-12-13
CVE-2024-55661 [HIGH] Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public `remember()` method in the `Laravel\Pulse\Livewire\Concerns\RemembersQueries` trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.
### Impact
An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:
- The callable is a function or static method
- The callable has no parameters or no strict parameter types
### Vulnerable Components
- The `remember(callable $query, string $key = '')` method in `Laravel\Pulse\Livewire\Concerns
No detection rules found.
No writeups or analysis indexed.
2024-12-13
Published