CVE-2024-55637: 
PHP vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2024-55637) was discovered in Drupal Core affecting versions from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, and from 11.0.0 before 11.0.8. The vulnerability was disclosed on December 9, 2024, and involves a chain of methods that becomes exploitable when an insecure deserialization vulnerability exists on the site (NVD).

The vulnerability centers around a gadget chain within Drupal core that can be exploited when an insecure deserialization vulnerability is present. While this gadget chain doesn't present a direct threat by itself, it can serve as a vector for achieving remote code execution if the application deserializes untrusted data due to another vulnerability. The vulnerability has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CISA-ADP).

If successfully exploited, this vulnerability could lead to remote code execution on affected systems. The vulnerability becomes particularly dangerous when combined with other vulnerabilities that allow for the deserialization of untrusted data, potentially giving attackers the ability to execute arbitrary code on the target system (NVD).

Users are advised to upgrade their Drupal Core installations to versions 10.2.11, 10.3.9, or 11.0.8 depending on their current version track. These versions contain the necessary security fixes to address the vulnerability (NVD).