Laravel admin package Voyager vulnerable to one-click RCE flaw
3 mins read

Laravel admin package Voyager vulnerable to one-click RCE flaw

geekfeed0Tagged , , , , , , , ,

Three vulnerabilities discovered in the open-source PHP package Voyager for managing Laravel applications could be used for remote code execution attacks.

The issues remain unfixed and can be exploited against an authenticated Voyager user that clicks on a malicious link.

Vulnerability researchers at SonarSource, a code quality and security company, say that they tried to report the flaws to the Voyager maintainers but received no reply within the 90-day window the company provides as per its vulnerability disclosure policy.

Vulnerability details

The SonarQube Cloud team found the first vulnerability in Voyager, an arbitrary file write, during its routine scans. Looking closer at the project, they discovered additional security issues that could be combined to run one-click remote code execution attacks on reachable Voyager instances.

The three flaws are summarizes as follows:

  • CVE-2024-55417 – Voyager’s media upload feature allows attackers to upload malicious files by bypassing MIME-type verification. By crafting a polyglot file that appears as an image or video but contains executable PHP code, an attacker can achieve remote code execution if the file is processed on the server.
  • CVE-2024-55416 – The /admin/compass endpoint in Voyager improperly sanitizes user input, allowing attackers to inject JavaScript into popup messages. If an authenticated admin clicks on a malicious link, the script executes in their browser, potentially allowing attackers to perform actions on their behalf, including escalating to remote code execution.
  • CVE-2024-55415 – A flaw in the file management system enables attackers to manipulate file paths and delete or access arbitrary files on the server. By exploiting this, attackers can disrupt services, erase critical files, or extract sensitive information.

According to SonarQube Cloud researchers, they reported the three issues to Voyager maintainers over email and GitHub since September 11, 2024, but received no communication back.

In the 90-day disclosure period, they tried multiple times to obtain a reply and inform that the public disclosure date was approaching.

The researchers say that they also opened a security report via GitHub on November 28 and that they notified the Voyager maintainers that the 90-day disclosure window expired and they were about to share the technical details publicly.

Impact and recommendations

Voyager is primarily used by Laravel developers who need a pre-built admin panel to manage their applications.

Typical users are web development companies, startups, freelance developers, Laravel hobbyists, and generally, small to medium-sized businesses that use Laravel for internal tools or CMS-based applications.

The Voyager project is highly popular as it has been forked 2,700 times on GitHub, received more than 11,800 stars and counts millions of downloads.

Given that the three flaws SonarQube discovered remain unpatched, Voyager users should consider restricting access to trusted users only, limiting “browse_media” permissions to prevent unauthorized file uploads, and using role-based access control (RBAC) to minimize exposure.

Server-level security measures include disabling the execution of PHP files, using strict MIME type validation to reject polyglot files, and regularly monitoring logs for unusual file upload or access activity.

If security is critical, avoid using Voyager in production environments until official patches are out, or consider migrating to another Laravel admin panel.

Leave a Reply

Your email address will not be published. Required fields are marked *

Website https://geekfeed.net

Related Posts