CVE-2024-34515 – CVE-2024-34515 is a PHAR deserialization vulner... (How to Fix)

📋 TL;DR

CVE-2024-34515 is a PHAR deserialization vulnerability in the spatie/image-optimizer library that allows attackers to execute arbitrary code by exploiting the phar:// protocol in file_exists() arguments. This affects any application using vulnerable versions of this PHP image optimization library. The vulnerability can be exploited without authentication when user-controlled input reaches the vulnerable function.

💻 Affected Systems

Products:

spatie/image-optimizer

Versions: All versions before 1.7.3

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the core library functionality when processing user-supplied file paths.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the environment.

🟠

Likely Case

Arbitrary code execution with the privileges of the web server process, potentially allowing file system access and further exploitation.

🟢

If Mitigated

Limited impact if proper input validation and file protocol restrictions are in place, though deserialization risks remain.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the ability to control input to file_exists() calls and upload a malicious PHAR file to the server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.3

Vendor Advisory: https://github.com/spatie/image-optimizer/compare/1.7.2...1.7.3

Restart Required: No

Instructions:

1. Update composer.json to require "spatie/image-optimizer": "^1.7.3"
2. Run composer update spatie/image-optimizer
3. Verify the update completed successfully

🔧 Temporary Workarounds

Disable PHAR wrapper

all

Disable the phar:// stream wrapper in PHP configuration to prevent PHAR deserialization attacks

php -d phar.readonly=1 your_script.php

Input validation

all

Implement strict input validation to reject any file paths containing phar:// protocol

🧯 If You Can't Patch

Implement strict input validation to reject any user input containing phar:// protocol
Use web application firewall rules to block requests containing phar:// in parameters

🔍 How to Verify

Check if Vulnerable:

Check composer.lock or run composer show spatie/image-optimizer to see if version is below 1.7.3

Check Version:

composer show spatie/image-optimizer | grep versions

Verify Fix Applied:

Verify composer.lock shows version 1.7.3 or higher for spatie/image-optimizer

📡 Detection & Monitoring

Log Indicators:

Unusual file operations with phar:// protocol
Errors from file_exists() with phar paths
Unexpected PHP process execution

Network Indicators:

HTTP requests containing phar:// in parameters
Unusual outbound connections from web server

SIEM Query:

web_logs WHERE url_params CONTAINS 'phar://' OR request_body CONTAINS 'phar://'

📊 Metadata

CVE ID: CVE-2024-34515

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: May 5, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34515, you might also want to check these: