Scramble Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Scramble package for Laravel, affecting versions 0.13.2 prior to 0.13.22. The issue arises when documentation endpoints are publicly accessible and validation rules reference user-controlled input. Under these conditions, data supplied in requests may be evaluated during the documentation generation process, leading to the execution of arbitrary PHP code within the application's context.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the application is running.

Remediation

The vulnerability has been fixed in version 0.13.22. If an immediate upgrade is not possible, access to documentation endpoints should be restricted, user-controlled variables should be avoided in validation rule expressions, and documentation endpoints should be disabled in production environments if not needed.