FKIE_CVE-2026-23524

Vulnerability from fkie_nvd - Published: 2026-01-21 22:15 - Updated: 2026-03-06 20:02
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).
References
security-advisories@github.comhttps://cwe.mitre.org/data/definitions/502.htmlTechnical Description
security-advisories@github.comhttps://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1aPatch
security-advisories@github.comhttps://github.com/laravel/reverb/releases/tag/v1.7.0Product, Release Notes
security-advisories@github.comhttps://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4Mitigation, Vendor Advisory
security-advisories@github.comhttps://laravel.com/docs/12.x/reverb#scalingTechnical Description
Impacted products
Vendor Product Version
laravel reverb *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:laravel:reverb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC0C178D-8618-4963-8AB2-75B260023D0A",
              "versionEndExcluding": "1.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP\u2019s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node)."
    },
    {
      "lang": "es",
      "value": "Laravel Reverb proporciona un backend de comunicaci\u00f3n WebSocket en tiempo real para aplicaciones Laravel. En las versiones 1.6.3 e inferiores, Reverb pasa datos del canal Redis directamente a la funci\u00f3n unserialize() de PHP sin restringir qu\u00e9 clases pueden ser instanciadas, lo que deja a los usuarios vulnerables a la ejecuci\u00f3n remota de c\u00f3digo. La explotabilidad de esta vulnerabilidad se incrementa porque los servidores Redis se implementan com\u00fanmente sin autenticaci\u00f3n, pero solo afecta a Laravel Reverb cuando el escalado horizontal est\u00e1 habilitado (REVERB_SCALING_ENABLED=true). Este problema ha sido solucionado en la versi\u00f3n 1.7.0. Como soluci\u00f3n alternativa, requiera una contrase\u00f1a fuerte para el acceso a Redis y aseg\u00farese de que el servicio solo sea accesible a trav\u00e9s de una red privada o loopback local, y/o configure REVERB_SCALING_ENABLED=false para eludir completamente la l\u00f3gica vulnerable (si el entorno utiliza solo un nodo Reverb)."
    }
  ],
  "id": "CVE-2026-23524",
  "lastModified": "2026-03-06T20:02:37.250",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-21T22:15:50.280",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://cwe.mitre.org/data/definitions/502.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/laravel/reverb/releases/tag/v1.7.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://laravel.com/docs/12.x/reverb#scaling"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.