CVE-2024-55661 – CVE-2024-55661 is a remote code execution vulne... (How to Fix)

📋 TL;DR

CVE-2024-55661 is a remote code execution vulnerability in Laravel Pulse monitoring tool. Authenticated users with dashboard access can execute arbitrary PHP code through the vulnerable remember() method. This affects all Laravel applications using Pulse versions before 1.3.1.

💻 Affected Systems

Products:

Laravel Pulse

Versions: All versions prior to 1.3.1

Operating Systems: All operating systems running Laravel Pulse

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Laravel Pulse dashboard access. All Pulse card components using the RemembersQueries trait are vulnerable.

📦 What is this software?

Pulse by Laravel

View all CVEs affecting Pulse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attacker to execute arbitrary commands, access sensitive data, modify application code, and pivot to other systems.

🟠

Likely Case

Unauthorized code execution leading to data theft, privilege escalation, and persistence mechanisms installation.

🟢

If Mitigated

Limited impact if proper authentication controls restrict dashboard access to trusted administrators only.

🌐 Internet-Facing: HIGH if Pulse dashboard is publicly accessible or exposed to untrusted networks.

🏢 Internal Only: MEDIUM as authenticated users with dashboard access can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Pulse dashboard. The vulnerability allows calling arbitrary callables with minimal technical complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1

Vendor Advisory: https://github.com/laravel/pulse/security/advisories/GHSA-8vwh-pr89-4mw2

Restart Required: No

Instructions:

1. Update Laravel Pulse to version 1.3.1 or later via Composer: composer require laravel/pulse:^1.3.1
2. Run composer update
3. Clear Laravel cache: php artisan cache:clear
4. Verify the update completed successfully

🔧 Temporary Workarounds

Restrict Dashboard Access

all

Limit Laravel Pulse dashboard access to trusted administrators only using middleware or authentication gates.

Disable Pulse Components

all

Temporarily disable Pulse card components that use the RemembersQueries trait until patching is possible.

🧯 If You Can't Patch

Implement strict network access controls to restrict Pulse dashboard to trusted IP addresses only.
Enable detailed logging and monitoring of all Pulse dashboard access and unusual PHP function calls.

🔍 How to Verify

Check if Vulnerable:

Check composer.json or run: composer show laravel/pulse --direct | grep version

Check Version:

composer show laravel/pulse --direct | grep version

Verify Fix Applied:

Confirm version is 1.3.1 or higher: composer show laravel/pulse --direct | grep version

📡 Detection & Monitoring

Log Indicators:

Unusual remember() method calls in application logs
Suspicious PHP function executions from Pulse components
Multiple failed authentication attempts to Pulse dashboard

Network Indicators:

Unusual outbound connections from Laravel application server
HTTP requests to Pulse dashboard endpoints from unexpected sources

SIEM Query:

source="laravel.log" AND ("remember()" OR "Pulse" OR "RemembersQueries") AND (severity="ERROR" OR severity="CRITICAL")

📊 Metadata

CVE ID: CVE-2024-55661

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: December 13, 2024

Last Updated: August 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55661, you might also want to check these: