Echoes of Doom: Unserializing RCE in Laravel Reverb
Vulnerability ID: CVE-2026-23524
CVSS Score: 9.8
Published: 2026-01-21
A critical deserialization vulnerability in Laravel Reverb allows remote code execution via malicious Redis PubSub messages when horizontal scaling is enabled.
TL;DR
If you are running Laravel Reverb in a scaled environment (using Redis), you are likely vulnerable to RCE. Reverb fails to validate class types when processing messages from Redis, allowing an attacker with Redis access (or SSRF) to trigger a PHP Object Injection attack. Patch immediately to v1.7.0.
⚠️ Exploit Status: WEAPONIZED
Technical Details
- CWE ID: CWE-502
- Attack Vector: Network (Redis PubSub)
- CVSS v3.1: 9.8 (Critical)
- Impact: Remote Code Execution
- Requirement: Redis Scaling Enabled
- Exploit Status: Weaponized (PoC Available)
Affected Systems
- Laravel Reverb Server (< v1.7.0)
- Laravel Applications using Reverb with Scaling Enabled
-
Laravel Reverb: < 1.7.0 (Fixed in:
1.7.0)
Code Analysis
Commit: 9ec26f8
Restrict unserialize to allowed classes
- $application = unserialize($event['application'] ?? null);
+ $application = unserialize($event['application'] ?? null, ['allowed_classes' => [Application::class]]);
Exploit Details
- Internal Research: Standard Laravel Gadget Chains (e.g., Monolog/RCE1) work against the unpatched unserialize call.
Mitigation Strategies
- Strict type whitelisting in unserialize() calls
- Network segmentation for Redis infrastructure
- Implementation of Redis authentication (ACLs)
Remediation Steps:
- Stop the running Reverb daemon (e.g.,
php artisan reverb:start). - Run
composer update laravel/reverbto fetch version 1.7.0+. - Verify the installed version using
composer show laravel/reverb. - Restart the Reverb daemon.
- Audit Redis security groups and ensure port 6379 is not globally accessible.
References
Read the full report for CVE-2026-23524 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)