Login Sign Up

CVE-2024-55638

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

This CVE describes a gadget chain in Drupal Core that enables object injection when untrusted data is deserialized. While the chain itself isn't directly exploitable, it can be leveraged for remote code execution if another vulnerability allows deserialization of attacker-controlled data. Affected are Drupal sites running vulnerable versions from 7.0 through 10.3.8.

💻 Affected Systems

Products:
  • Drupal Core
Versions: 7.0 to 7.101, 8.0.0 to 10.2.10, 10.3.0 to 10.3.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires another vulnerability that allows deserialization of untrusted data to be exploitable.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution resulting in website defacement, data exfiltration, or installation of backdoors.

🟢

If Mitigated

No impact if proper input validation prevents deserialization of untrusted data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires chaining with another deserialization vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.102, 10.2.11, 10.3.9

Vendor Advisory: https://www.drupal.org/sa-core-2024-008

Restart Required: No

Instructions:

1. Backup your Drupal site and database. 2. Update Drupal core to the patched version via Composer (composer update drupal/core-recommended --with-dependencies) or manual download. 3. Clear all caches (drush cr or via admin interface).

🔧 Temporary Workarounds

Input validation hardening

all

Implement strict input validation to prevent deserialization of untrusted data in all user inputs.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block deserialization attempts.
  • Restrict network access to Drupal admin interfaces and apply principle of least privilege.

🔍 How to Verify

Check if Vulnerable:

Check Drupal version via admin/reports/status or drush status. Compare against affected versions.

Check Version:

drush status | grep 'Drupal version' or check admin/reports/status page.

Verify Fix Applied:

Confirm Drupal version is 7.102, 10.2.11, 10.3.9 or higher via admin/reports/status.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP object injection attempts in web server logs
  • Errors related to unserialize() function

Network Indicators:

  • HTTP requests with serialized PHP objects in parameters

SIEM Query:

web* AND (unserialize OR php_object_injection)

📊 Metadata

CVE ID: CVE-2024-55638
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-915
Published: December 10, 2024
Last Updated: June 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55638, you might also want to check these:

CVE-2024-5452 9.8

This vulnerability allows remote attackers to execute arbitrary code on self-hosted PyTorch Lightnin...

Same vulnerability type (CWE-915)
CVE-2024-55636 9.8

This CVE describes a gadget chain vulnerability in Drupal Core that enables object injection when un...

Same vulnerability type (CWE-915)
CVE-2024-0404 9.1

This CVE describes a mass assignment vulnerability in the Anything-LLM software that allows attacker...

Same vulnerability type (CWE-915)