CVE-2024-47823
CVE-2024-47823 is a critical-severity vulnerability in Laravel Livewire with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-434.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v4: 7.7
- EPSS exploit prediction: 1% (53rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-3024
- Weakness: CWE-434
- Affected product: Laravel Livewire
- Published:
- Last modified:
Description
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Frequently asked questions
- What is CVE-2024-47823?
- Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
- How severe is CVE-2024-47823?
- CVE-2024-47823 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-47823 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (53rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-47823?
- CVE-2024-47823 affects Laravel Livewire. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-47823?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2024-47823 have an EU (EUVD) identifier?
- Yes. CVE-2024-47823 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-3024.
- When was CVE-2024-47823 published?
- CVE-2024-47823 was published on 2024-10-08 and last updated on 2026-06-17.
References
- https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5
- https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9
- https://github.com/livewire/livewire/pull/8624
- https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp
Affected products (1)
- cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*
More vulnerabilities in Laravel Livewire
- CVE-2025-54068 — Critical (CVSS 9.8): Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows…
- CVE-2024-22859 — High (CVSS 8.8): Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary…
- CVE-2024-21504 — Medium (CVSS 6.1): Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when…
All CVEs affecting Laravel Livewire →
Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-57700 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This…
- CVE-2025-69129 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7…
- CVE-2026-40772 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
- CVE-2026-40412 — Critical (CVSS 10.0): Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code…
Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →