Insufficient Type Distinction Affecting livewire/livewire package, versions <3.5.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-LIVEWIRELIVEWIRE-8171408
- published 9 Oct 2024
- disclosed 8 Oct 2024
- credit Jeremy Angele
Introduced: 8 Oct 2024
CVE-2024-47823 Open this link in a new tabHow to fix?
Upgrade livewire/livewire to version 3.5.2 or higher.
Overview
livewire/livewire is an A front-end framework for Laravel.
Affected versions of this package are vulnerable to Insufficient Type Distinction when validating uploaded files in the generateHashNameWithOriginalNameEmbedded() function. An attacker can execute code by uploading a file with a valid MIME type such as image/png which actually contains executable code and has an executable file extension like .php.
Note: This is only exploitable if the following conditions are met, illustrated in the snippet below:
The affected application applies
$file->getClientOriginalName()to filenames.Files are stored in a publicly accessible directory on the affected server.
The affected server is configured to execute uploaded files.
class SomeComponent extends Component
{
use WithFileUploads;
#[Validate('image|extensions:png')]
public $file;
public function save()
{
$this->validate();
$this->file->storeAs(
path: 'images',
name: $this->file->getClientOriginalName(),
options: ['disk' => 'public'],
);
}
}