CVE-2024-55556

CVE-2024-55556 is a critical vulnerability in Crater Invoice, an open-source invoicing application built on Laravel, that allows arbitrary deserialization leading to remote command execution. The flaw stems from the ability to manipulate the encrypted laravel_session cookie, which contains serialized session data protected by Laravel's secret APP_KEY. Published on January 7, 2025, it is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker with knowledge of the target's APP_KEY can exploit this vulnerability over the network with low complexity. By decrypting the laravel_session cookie, injecting malicious serialized payloads, and re-encrypting it with the APP_KEY, the attacker triggers arbitrary deserialization upon server processing of the tampered cookie. This can result in remote command execution on the server, granting high-impact control over confidentiality, integrity, and availability.

Mitigation guidance is available in the Synacktiv advisory at https://www.synacktiv.com/advisories/crater-invoice-unauthenticated-remote-command-execution-when-appkey-known, which details the exploitation vector, and the Crater Invoice GitHub repository at https://github.com/crater-invoice/crater. Protecting the APP_KEY from exposure is essential, as it serves as the primary prerequisite for exploitation.