CVE-2024-50347

Name of the Vulnerable Software and Affected Versions: Laravel Reverb versions prior to 1.4.0

Description: The issue is related to unverified verification signatures for requests sent to Reverb's Pusher-compatible API. This API is used for scenarios such as broadcasting messages or obtaining statistical information about channels. The vulnerability only affects the Pusher-compatible API endpoints, not the WebSocket connections themselves. To exploit this, an attacker would need to know the application ID, which should never be exposed. The affected API endpoints include POST /events, POST /events batch, GET /connections, GET /channels, GET /channel, GET /channel users, and POST /users terminate.

Recommendations: For versions prior to 1.4.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, consider restricting access to the Pusher-compatible API endpoints until the update is applied. Additionally, ensure that the application ID is not exposed to prevent potential exploitation.