CVE-2024-47823

Name of the Vulnerable Software and Affected Versions livewire/livewire versions prior to 2.12.7 and v3.5.2

Description The issue is related to insufficient validation of uploaded file extensions in the Livewire framework for Laravel. An attacker can bypass validation by uploading a file with a valid MIME type and a malicious file extension, such as ".php". If certain criteria are met, including the use of the original file name, storage on a public disk, and a web server configured to execute ".php" files, the attacker can carry out a remote code execution (RCE) attack.

Recommendations To resolve the issue, upgrade to release versions 2.12.7 or 3.5.2. As a temporary workaround, consider disabling the use of $file->getClientOriginalName() for filename composition, and restrict file storage to non-public disks. Additionally, ensure that the web server is not configured to execute ".php" files in the storage directory. There are no known workarounds for this vulnerability, and all users are advised to upgrade to a patched version.