CVE-2024-50347: 
PHP vulnerability analysis and mitigation

Laravel Reverb, a real-time WebSocket communication backend for Laravel applications, was found to have a security vulnerability prior to version 1.4.0. The issue involved unverified verification signatures for requests sent to Reverb's Pusher-compatible API, which is used for broadcasting messages and obtaining channel statistics. The vulnerability was discovered and disclosed by a community member, and was assigned CVE-2024-50347 (GitHub Advisory).

The vulnerability stems from the lack of verification for request signatures in the Pusher-compatible API endpoints. The verification signature is a hash composed of various request components signed by the app's secret key. While the signature was sent as part of the request, Reverb failed to regenerate and verify it to ensure the request originated from a legitimate source. The affected endpoints included POST /events, POST /eventsbatch, GET /connections, GET /channels, GET /channel, GET /channelusers, and POST /users_terminate (GitHub Advisory). The vulnerability has been assigned a CVSS v4.0 score of 6.3 MEDIUM (NVD).

The vulnerability could allow unauthorized access to the Pusher-compatible API endpoints, potentially enabling attackers to broadcast messages or obtain statistical information about channels. However, the impact is limited as exploitation requires knowledge of the application ID, which should never be exposed. Additionally, the vulnerability only affects the API endpoints and not the WebSocket connections themselves (GitHub Advisory).

The vulnerability has been patched in Laravel Reverb version 1.4.0. The fix implements proper API signature verification through pull request #252. Users are advised to upgrade to version 1.4.0 or later to address this security issue (GitHub Release).