Login Sign Up

CVE-2024-55636

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

This CVE describes a gadget chain vulnerability in Drupal Core that enables object injection when untrusted data is deserialized. While not directly exploitable on its own, it provides a vector for remote code execution if another vulnerability allows deserialization of attacker-controlled data. Affected are Drupal Core versions from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, and from 11.0.0 before 11.0.8.

💻 Affected Systems

Products:
  • Drupal Core
Versions: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires another vulnerability that allows deserialization of untrusted data to be exploitable.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Privilege escalation, data manipulation, or denial of service if combined with another deserialization vulnerability.

🟢

If Mitigated

No impact if no other deserialization vulnerabilities exist and input validation is properly implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires chaining with another deserialization vulnerability; no direct exploit exists for this gadget chain alone.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.2.11, 10.3.9, 11.0.8

Vendor Advisory: https://www.drupal.org/sa-core-2024-006

Restart Required: No

Instructions:

1. Backup your Drupal site and database. 2. Update Drupal Core to the patched version via Composer: 'composer update drupal/core-recommended --with-dependencies'. 3. Run database updates: 'drush updatedb' or via the web interface. 4. Clear caches: 'drush cr' or via the web interface.

🔧 Temporary Workarounds

Disable PHP object deserialization

all

Prevent PHP from deserializing objects in user input by modifying application logic to avoid unserialize() on untrusted data.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-supplied data.
  • Monitor and audit code for use of unserialize() or similar functions on untrusted input.

🔍 How to Verify

Check if Vulnerable:

Check Drupal version via admin/reports/status or 'drush status' command; if version is in affected range, site is vulnerable.

Check Version:

drush status | grep 'Drupal version'

Verify Fix Applied:

Confirm Drupal version is 10.2.11, 10.3.9, 11.0.8 or later via admin/reports/status or 'drush status'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP errors related to deserialization or object injection in Drupal logs.
  • Unexpected process execution or file writes in system logs.

Network Indicators:

  • Anomalous HTTP requests containing serialized data payloads to Drupal endpoints.

SIEM Query:

source="drupal.log" AND ("unserialize" OR "object injection" OR "PHP error")

📊 Metadata

CVE ID: CVE-2024-55636
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-915
Published: December 10, 2024
Last Updated: June 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55636, you might also want to check these:

CVE-2024-5452 9.8

This vulnerability allows remote attackers to execute arbitrary code on self-hosted PyTorch Lightnin...

Same vulnerability type (CWE-915)
CVE-2024-55638 9.8

This CVE describes a gadget chain in Drupal Core that enables object injection when untrusted data i...

Same vulnerability type (CWE-915)
CVE-2024-0404 9.1

This CVE describes a mass assignment vulnerability in the Anything-LLM software that allows attacker...

Same vulnerability type (CWE-915)