Robertboes

Name of the Vulnerable Software and Affected Versions: Laravel Reverb versions prior to 1.4.0 Description: The issue is related to unverified verification signatures for requests sent to Reverb's Pusher-compatible API. This API is used for scenarios such as broadcasting messages or obtaining statistical information about channels. The vulnerability only affects the Pusher-compatible API endpoints, not the WebSocket connections themselves. To exploit this, an attacker would need to know the application ID, which should never be exposed. The affected API endpoints include `POST /events`, `POST /events batch`, `GET /connections`, `GET /channels`, `GET /channel`, `GET /channel users`, and `POST /users terminate`. Recommendations: For versions prior to 1.4.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, consider restricting access to the Pusher-compatible API endpoints until the update is applied. Additionally, ensure that the application ID is not exposed to prevent potential exploitation.