CVE-2024-55661

Name of the Vulnerable Software and Affected Versions Laravel Pulse versions prior to 1.3.1

Description A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the LaravelPulseLivewireConcernsRemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application. An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria: the callable is a function or static method and the callable has no parameters or no strict parameter types. The vulnerable component is the remember(callable $query, string $key = '') method in LaravelPulseLivewireConcernsRemembersQueries, and the vulnerability affects all Pulse card components that use this trait.

Recommendations For versions prior to 1.3.1, update to version 1.3.1 or later to resolve the issue. As a temporary workaround, consider disabling the remember() function in the LaravelPulseLivewireConcernsRemembersQueries trait until a patch is available. Restrict access to the vulnerable LaravelPulseLivewireConcernsRemembersQueries trait to minimize the risk of exploitation. Avoid using the remember() method in Livewire components until the issue is resolved.