CVE-2024-47823 Overview
CVE-2024-47823 is a file upload validation flaw in Livewire, a full-stack framework for Laravel that powers dynamic UI components without leaving PHP. Versions prior to 2.12.7 and 3.5.2 guess a file's extension based on its MIME type instead of validating the extension provided in the filename. An attacker can upload a file with a benign MIME type such as image/png and a .php extension, bypassing the validation logic. When applications combine $file->getClientOriginalName() with public storage and a webserver configured to execute PHP, this results in remote code execution (RCE).
Critical Impact
Authenticated attackers can achieve remote code execution on Laravel applications using vulnerable Livewire versions when uploads are stored in publicly accessible disks under their original filenames.
Affected Products
- Laravel Livewire versions prior to 2.12.7
- Laravel Livewire 3.x versions prior to 3.5.2
- Laravel applications using $file->getClientOriginalName() for stored uploads on public disks
Discovery Timeline
- 2024-10-08 - CVE-2024-47823 published to NVD
- 2025-03-06 - Last updated in NVD database
Technical Details for CVE-2024-47823
Vulnerability Analysis
The vulnerability is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type and [CWE-20] Improper Input Validation. Livewire's temporary upload handler derived the stored file extension from the MIME type via Symfony's guessExtension() rather than from the client-provided filename. An attacker crafts an HTTP multipart upload where the Content-Type header advertises an allowed image MIME, while the filename ends in .php. Livewire's MIME-based check passes, and the file is persisted with its original name preserved through getClientOriginalName(). If the storage disk is web-accessible and the webserver executes PHP files in that directory, the attacker requests the uploaded file URL to trigger code execution.
Root Cause
The defect lives in TemporaryUploadedFile.php, where the stored extension was generated by $file->guessExtension(). This function inspects MIME content to infer an extension and never compares it against the real filename suffix. Applications later writing the file under its original name retain the attacker-controlled .php extension on disk.
Attack Vector
Exploitation requires network access to an upload endpoint, low-privilege authentication where the application requires it, and a server configuration that exposes the storage path and executes PHP. The attacker uploads a polyglot file that begins with valid image bytes followed by PHP code, named for example shell.php, with Content-Type: image/png. Once stored under storage/public/, requesting the file URL executes the embedded PHP payload.
{
$hash = str()->random(30);
$meta = str('-meta'.base64_encode($file->getClientOriginalName()).'-')->replace('/', '_');
- $extension = '.'.$file->guessExtension();
+ $extension = '.'.$file->getClientOriginalExtension();
return $hash.$meta.$extension;
}
Source: Livewire commit 70503b7. The patch replaces MIME-based extension guessing with getClientOriginalExtension(), ensuring the stored extension reflects the original filename suffix that validation rules then enforce.
Detection Methods for CVE-2024-47823
Indicators of Compromise
- PHP files written to public storage directories such as storage/app/public/ or public/livewire-tmp/ with timestamps correlating to upload requests.
- HTTP POST requests to Livewire endpoints (/livewire/upload-file) containing multipart filenames ending in .php, .phtml, or .phar paired with image MIME types.
- Subsequent GET requests to recently uploaded files in storage paths that return non-image content or trigger outbound network connections.
Detection Strategies
- Inspect web access logs for filename and MIME mismatches by parsing multipart upload bodies and flagging extensions not in an allowlist.
- Hunt for newly created files with executable PHP extensions inside web-served directories using file integrity monitoring.
- Review Laravel application logs for TemporaryUploadedFile operations referencing suspicious original filenames.
Monitoring Recommendations
- Alert on creation of .php, .phtml, .phar, or .htaccess files under any directory mapped to a public storage disk.
- Monitor child processes spawned by the PHP-FPM or webserver worker that originate from uploads directories.
- Track outbound connections from the webserver user immediately following file upload activity to identify post-exploitation callbacks.
How to Mitigate CVE-2024-47823
Immediate Actions Required
- Upgrade Livewire to 2.12.7 for the 2.x branch or 3.5.2 for the 3.x branch via composer update livewire/livewire.
- Audit application code for uploads stored with $file->getClientOriginalName() and replace with hashed or sanitized names.
- Configure storage disks so uploaded content is not served from a directory where the webserver executes PHP.
Patch Information
The fix is delivered in Livewire 2.12.7 and 3.5.2. The patch changes TemporaryUploadedFile::generateHashNameWithOriginalNameEmbedded() to call getClientOriginalExtension() instead of guessExtension(), so the stored extension matches the filename and is subject to validation rules. See the Livewire Security Advisory GHSA-f3cx-396f-7jqp and pull request #8624 for the complete change set.
Workarounds
- The vendor states there are no known workarounds. Apply the patched release.
- As a defense-in-depth measure, configure the webserver to disable PHP execution within upload and storage directories using php_admin_flag engine off or equivalent Nginx location rules.
- Validate uploads server-side against an explicit extension allowlist before persisting files.
# Nginx: disable PHP execution in Laravel public storage
location ^~ /storage/ {
location ~ \.ph(p\d?|tml|ar)$ {
deny all;
return 403;
}
}
# Composer: apply the patched release
composer require livewire/livewire:^3.5.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
