Login Sign Up

CVE-2024-47823

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in Livewire allows attackers to bypass file upload validation by uploading PHP files disguised as images. If the server stores uploaded files with their original names in a public directory and executes PHP files, this can lead to remote code execution. All Livewire users running versions below 2.12.7 or 3.5.2 are affected.

💻 Affected Systems

Products:
  • livewire/livewire
Versions: All versions prior to 2.12.7 and 3.5.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires file upload functionality using Livewire's file handling and storage in public directory with PHP execution enabled.

📦 What is this software?

Livewire by Laravel

View all CVEs affecting Livewire →

Livewire by Laravel

View all CVEs affecting Livewire →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and lateral movement within the network.

🟠

Likely Case

File upload leading to web shell installation and limited server access.

🟢

If Mitigated

File upload blocked or stored safely with no execution capability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires specific server configuration but is straightforward once conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12.7 or 3.5.2

Vendor Advisory: https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp

Restart Required: No

Instructions:

1. Update Livewire via Composer: 'composer require livewire/livewire:^2.12.7' or 'composer require livewire/livewire:^3.5.2'. 2. Verify update with 'composer show livewire/livewire'. 3. Clear Laravel cache: 'php artisan optimize:clear'.

🔧 Temporary Workarounds

Custom File Validation

all

Implement server-side validation that checks both MIME type AND file extension before accepting uploads.

Secure File Storage

all

Store uploaded files outside web root or use storage that doesn't execute PHP files.

🧯 If You Can't Patch

  • Disable file upload functionality in Livewire components
  • Implement web application firewall rules to block .php file uploads

🔍 How to Verify

Check if Vulnerable:

Check composer.json or run 'composer show livewire/livewire' to see if version is below 2.12.7 (for v2) or 3.5.2 (for v3).

Check Version:

composer show livewire/livewire | grep versions

Verify Fix Applied:

Confirm version is 2.12.7+ or 3.5.2+ via 'composer show livewire/livewire' and test file upload with .php extension disguised as image.

📡 Detection & Monitoring

Log Indicators:

  • File uploads with .php extension but image MIME types
  • Unexpected PHP file execution in upload directories

Network Indicators:

  • HTTP POST requests to upload endpoints with suspicious file content

SIEM Query:

source="web_logs" AND (uri_path="*upload*" OR method="POST") AND (file_extension=".php" AND content_type="image/*")

📊 Metadata

CVE ID: CVE-2024-47823
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: October 8, 2024
Last Updated: March 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47823, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)