Voyager PHP Package Vulnerabilities Open Path to One-Click RCE Exploits

January 30, 2025

Voyager, a renowned open-source PHP package designed to manage Laravel applications, has been found to contain multiple vulnerabilities, according to researchers at SonarSource. The package, which provides an administrative interface, BREAD operations, and media and user management, was found to have an arbitrary file write vulnerability during a routine scan by the researchers.

This vulnerability, along with others discovered, could be chained together to enable a one-click remote code execution (RCE) on a Voyager instance. One of the key vulnerabilities allows an attacker to exploit Voyager’s media upload feature. This flaw bypasses MIME type verification, enabling the execution of harmful PHP code through a polyglot file. When combined with the CVE-2024-55416 flaw, this could lead to a serious threat, initiated by a victim clicking on a malicious link.

In a statement by SonarSource, it was noted, “When an authenticated Voyager user clicks on a malicious link, attackers can execute arbitrary code on the server. At the time of writing this blog (Voyager version 1.8.0), the vulnerabilities have not been fixed and we release this information to allow users to protect themselves under our 90-day responsible disclosure deadline.”

Another discovered vulnerability, CVE-2024-55415, allows an attacker to discreetly steal or delete files without needing to drop a harmful PHP file. This is made possible due to inadequate input validation in the pathToLogFile function. A user could be tricked into clicking a harmful link, leading to arbitrary file deletion, potentially affecting server availability or enabling code execution.

Furthermore, the /admin/compass endpoint allows for file downloads, which, when combined with a previous XSS vulnerability, could be used to extract sensitive data to an attacker-controlled server. Despite multiple attempts to contact the project maintainers via email and GitHub, there has been no response from them. This information is being publicly released under a 90-day responsible disclosure policy to protect users.

SonarSource concluded their report by stating, “At this time, no patches are available to address the vulnerabilities we’ve identified. Despite multiple attempts to contact the project maintainers via email and GitHub, we have not received a response. In accordance with our responsible disclosure policy, we are publicly releasing the details of our findings after 90 days. We believe this allows users of Voyage to make informed decisions about their use of Voyage. We strongly advise users to carefully consider using this project in their applications and exercise caution when deciding to do so.”

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• New Aquabotv3 Botnet Malware Exploits Mitel Command Injection Vulnerability
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Mirai Botnet Variant 'Aquabot' Targets Mitel Devices, Offers DDoS-as-a-Service