Laravel Reverb Insecure Deserialization Vulnerability Allowing Remote Code Execution

A critical vulnerability allowing remote code execution has been identified in Laravel Reverb versions prior to 1.7.0. This issue arises from improper handling of data deserialization from Redis channels, which is passed directly to PHP's unserialize() function without restrictions on class instantiation. The vulnerability is particularly exploitable when Redis servers are deployed without authentication and horizontal scaling is enabled, allowing Reverb servers to communicate via Redis PubSub. The flaw has been addressed in version 1.7.0.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, enable horizontal scaling in a Laravel application using Reverb by setting the 'REVERB_SCALING_ENABLED' environment variable to 'true'. Ensure that the Redis server used by the application is accessible without authentication. Once these conditions are met, publish a message to a Redis channel that includes a payload designed to exploit the deserialization vulnerability, such as a crafted object that, when unserialized, executes arbitrary code.

Remediation

Users are advised to update Laravel Reverb to version 1.7.0 or later. If an immediate upgrade is not possible, as a temporary measure, disable horizontal scaling by setting 'REVERB_SCALING_ENABLED' to 'false', and ensure that the Redis server requires a strong password and is only accessible via a private network or local loopback.