CVE-2024-55636: 
PHP vulnerability analysis and mitigation

Deserialization of Untrusted Data vulnerability (CVE-2024-55636) affects Drupal Core versions from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, and from 11.0.0 before 11.0.8. The vulnerability was disclosed on December 9, 2024 (NVD).

The vulnerability involves a chain of methods in Drupal core that becomes exploitable when an insecure deserialization vulnerability exists on the site. While this gadget chain presents no direct threat by itself, it can be leveraged as a vector to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CISA-ADP).

If successfully exploited, this vulnerability could allow an attacker to achieve remote code execution on affected systems when combined with other deserialization vulnerabilities. The high CVSS score indicates that the vulnerability could potentially lead to complete system compromise with high impacts on confidentiality, integrity, and availability (NVD).

Users should upgrade to Drupal Core version 10.2.11, 10.3.9, or 11.0.8 depending on their current version track. These versions contain the necessary security fixes to address the vulnerability (NVD).