A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.
Impact
An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:
- The callable is a function or static method
- The callable has no parameters or no strict parameter types
Vulnerable Components
- The
remember(callable $query, string $key = '') method in Laravel\Pulse\Livewire\Concerns\RemembersQueries
- Affects all Pulse card components that use this trait
Attack Vectors
The vulnerability can be exploited through Livewire component interactions, for example:
wire:click="remember('\\Illuminate\\Support\\Facades\\Config::all', 'config')"Credit
Thank you to Jeremy Angele for reporting this vulnerability.
A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public
remember()method in theLaravel\Pulse\Livewire\Concerns\RemembersQueriestrait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.Impact
An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:
Vulnerable Components
remember(callable $query, string $key = '')method inLaravel\Pulse\Livewire\Concerns\RemembersQueriesAttack Vectors
The vulnerability can be exploited through Livewire component interactions, for example:
Credit
Thank you to Jeremy Angele for reporting this vulnerability.