### Vulnerability Key Information #### Vulnerability Description - **Vulnerability Type**: Insecure Deserialization (CWE-502) - **Severity**: Critical (9.8) - **Impact**: Affects Laravel Reverb versions < 1.7.0 when horizontal scaling is enabled (`REVERB_SCALING_ENABLED=true`). - **Risk**: Remote Code Execution (RCE) - **Cause**: Reverb communicates via Redis PubSub. Previously, it directly passed Redis channel data to PHP’s `unserialize()` function, leading to unrestricted class instantiation. #### Fix - **Fixed Version**: Laravel Reverb v1.7.0 - **Recommendation**: Immediately upgrade dependencies to `laravel/reverb: ^1.7.0` #### Temporary Mitigations If upgrading to v1.7.0 is not feasible, apply the following mitigations: - **Redis Security**: Protect Redis access with strong passwords and ensure the service is accessible only via private networks or localhost. - **Disable Scaling**: When using a single Reverb node, set `REVERB_SCALING_ENABLED=false` to completely avoid the vulnerable logic. #### References - [CWE-502: Deserialization of Untrusted Data](http://web.mit.edu/sjaksch/www/CWE-502-Deserialization-of-Untrusted-Data.html) - [Laravel Reverb Documentation: Scaling](https://laravel.com/docs/master/broadcasting#include-modes) #### Reporter - This vulnerability was discovered and responsibly reported by Mohammad Yaser Abo-Elmaaty [@m0h4mmad](https://github.com/m0h4mmad)