Researchers report still unpatched vulnerabilities PHP Laravel management package Voyager
Take action: If you are using PHP package Voyager to manage Laravel apps, consider it not maintained and vulnerable to attacks. If you can't remove it from the infrastructure limit "browse_media" permissions to prevent unauthorized file uploads, enforce strict MIME type validation. Then start planning a quick migration to another tool.
Learn More
Multiple security researchers are reporting three vulnerabilities in the open-source PHP package Voyager, which is used for managing Laravel applications. The vulnerabilities remain unpatched despite responsible disclosure attempts, creating significant security risks for organizations using Voyager in production environments.
Voyager is a widely-used project with significant adoption metrics, including 2,700 GitHub forks, over 11,800 stars, and millions of downloads. The package is primarily utilized by web development companies, startups, freelance developers, and small to medium-sized businesses that use Laravel for internal tools or CMS-based applications.
- CVE-2024-55417 (CVSS score 8.8): An arbitrary file write vulnerability in the "/admin/media/upload" endpoint that allows attackers to bypass MIME-type verification. Attackers can upload polyglot files appearing as images or videos while containing executable PHP code, enabling remote code execution when processed by the server.
- CVE-2024-55416 (CVSS score 6.1): A reflected cross-site scripting (XSS) vulnerability in the "/admin/compass" endpoint that fails to properly sanitize user input. This allows JavaScript injection into popup messages, enabling attackers to execute arbitrary code when an authenticated admin clicks a malicious link.
- CVE-2024-55415 (CVSS score 7.5): A file management system vulnerability allowing attackers to manipulate file paths, potentially leading to unauthorized access or deletion of arbitrary files on the server. This can be used to disrupt services, delete critical files, or extract sensitive information.
The vulnerabilities were initially reported to Voyager maintainers on September 11, 2024, through both email and GitHub channels. Despite multiple attempts at communication and notification of the approaching 90-day disclosure window, including a security report filed via GitHub on November 28, no response was received from the maintainers.
Given the absence of official patches, organizations using Voyager should restrict access to trusted users only, limit "browse_media" permissions to prevent unauthorized file uploads, enforce strict MIME type validation and consider migrating to alternative Laravel admin panels if security is critical.
