CVE-2024-55417 – CVE-2024-55417 allows authenticated users in De... (How to Fix)

Q: What is the severity of CVE-2024-55417?

CVE-2024-55417 has a CVSS score of 4.3 (MEDIUM). CVE-2024-55417 allows authenticated users in DevDojo Voyager to bypass file type verification when uploading files via the media upload endpoint. This enables attackers to upload malicious files like web shells, leading to arbitrary code execution on the server. Only Voyager installations with authenticated user access are affected.

📋 TL;DR

CVE-2024-55417 allows authenticated users in DevDojo Voyager to bypass file type verification when uploading files via the media upload endpoint. This enables attackers to upload malicious files like web shells, leading to arbitrary code execution on the server. Only Voyager installations with authenticated user access are affected.

💻 Affected Systems

Products:

DevDojo Voyager

Versions: through version 1.8.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the Voyager admin panel.

📦 What is this software?

Voyager by Thecontrolgroup

View all CVEs affecting Voyager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through web shell upload, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Authenticated attacker uploads web shell, gains remote code execution, and compromises the application server.

🟢

If Mitigated

Attack prevented by proper file validation, leaving only failed upload attempts in logs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.1 or later

Vendor Advisory: https://github.com/thedevdojo/voyager/security/advisories

Restart Required: No

Instructions:

1. Update Voyager to version 1.8.1 or later via composer update. 2. Verify the patch is applied by checking the VoyagerMediaController.php file.

🔧 Temporary Workarounds

Implement custom file validation middleware

all

Add server-side file type validation before processing uploads

Create custom middleware with strict MIME type and extension validation

Restrict upload directory permissions

linux

Set upload directory to read-only for web server user

chmod 755 /path/to/uploads
chown root:www-data /path/to/uploads

🧯 If You Can't Patch

Disable the media upload functionality entirely via route middleware
Implement WAF rules to block suspicious file uploads with .php, .phtml, .jsp extensions

🔍 How to Verify

Check if Vulnerable:

Check if Voyager version is 1.8.0 or earlier and if /admin/media/upload endpoint is accessible

Check Version:

composer show thedevdojo/voyager | grep version

Verify Fix Applied:

Verify Voyager version is 1.8.1+ and test file upload with malicious extension is rejected

📡 Detection & Monitoring

Log Indicators:

Failed file upload attempts with unusual extensions
Successful uploads of .php, .phtml, .jsp files to media directory

Network Indicators:

POST requests to /admin/media/upload with executable file types
Subsequent requests to uploaded suspicious files

SIEM Query:

source="web_logs" AND (uri_path="/admin/media/upload" AND (file_extension="php" OR file_extension="phtml" OR file_extension="jsp"))

📊 Metadata

CVE ID: CVE-2024-55417

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-434

EPSS Score: 5.66% exploit probability (90.2th percentile)

Published: January 30, 2025

Last Updated: May 23, 2025

🔗 References

https://github.com/thedevdojo/voyager/blob/1.6/src/Http/Controllers/VoyagerMediaController.php#L238 Product
https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55417, you might also want to check these: