CVE-2024-55661: 
PHP vulnerability analysis and mitigation

Laravel Pulse, a real-time application performance monitoring and dashboard tool for Laravel applications, was found to contain a remote code execution vulnerability (CVE-2024-55661) affecting versions prior to 1.3.1. The vulnerability was discovered in the public remember() method within the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait, which could be exploited by authenticated users with access to the Laravel Pulse dashboard (GitHub Advisory, Security Online).

The vulnerability exists in the remember(callable $query, string $key = '') method of the RemembersQueries trait. This method is accessible through Livewire components and can be exploited to execute arbitrary callables within the application. The vulnerability has received a CVSS v4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, and a CVSS v3.1 score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

An authenticated user with access to the Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets specific criteria: the callable must be a function or static method, and it must have no parameters or no strict parameter types. This could potentially lead to full system compromise, allowing attackers to execute system commands, read sensitive files, or take control of the server hosting the Laravel application (Security Online).

The vulnerability has been patched in Laravel Pulse version 1.3.1. Users are strongly advised to upgrade to this version immediately to address the security issue. A fix was implemented through a commit that modified the remember() method's visibility from public to protected (GitHub Commit).