[Security] Bump livewire/livewire from 3.4.12 to 3.6.4

Dependabotrequested to merge
dependabot-composer-livewire-livewire-3.6.4 into main

Bumps livewire/livewire from 3.4.12 to 3.6.4. This update includes security fixes.

Vulnerabilities fixed

Livewire Remote Code Execution on File Uploads In livewire/livewire prior to v2.12.7 and v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., image/png) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack:

  • Filename is composed of the original file name using $file->getClientOriginalName()
  • Files stored directly on your server in a public storage disk
  • Webserver is configured to execute “.php” files

PoC

In the following scenario, an attacker could upload a file called shell.php with an image/png MIME type and execute it on the remote server.

class SomeComponent extends Component
{
    use WithFileUploads;
#[Validate('image|extensions:png')]
public $file;
public function save()
{
$this->validate();

</tr></table>

... (truncated)

Patched versions: 2.12.7; 3.5.2 Affected versions: = 3.0.0-beta.1, < 3.5.2

Livewire is vulnerable to remote command execution during component property update hydration

Impact

In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction.

Patches

This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible.

Workarounds

There is no known workaround at this time. Users are strongly advised to upgrade to a patched version immediately.

Resources

No public references available at this time to avoid exposure. Details will be published after a responsible disclosure window.

Patched versions: 3.6.4 Affected versions: >= 3.0.0-beta.1, < 3.6.4

Release notes

Sourced from livewire/livewire's releases.

v3.6.4

What's Changed

Full Changelog: https://github.com/livewire/livewire/compare/v3.6.3...v3.6.4

v3.6.3

What's Changed

New Contributors

Full Changelog: https://github.com/livewire/livewire/compare/v3.6.2...v3.6.3

v3.6.2

What's Changed

Full Changelog: https://github.com/livewire/livewire/compare/v3.6.1...v3.6.2

v3.6.1

What's Changed

Full Changelog: https://github.com/livewire/livewire/compare/v3.6.0...v3.6.1

v3.6.0

... (truncated)

Commits
  • ef04be7 Fix property update hydration
  • 56aa1bb Build assets
  • 8a9a531 Add PHPDoc types to Testable (#9219)
  • 241b5a4 Update enum query parameter to set null for invalid values when nullable (#...
  • 15bd424 Fix resetExcept() to not reset all when all properties supplied (#9117)
  • 9bea207 Fix query string history state error handling (#9278)
  • 76a1679 Revert Breaking Change to Enum Validation in 3.6.2 (#9268)
  • 403eb7d Update forms.md (#9243)
  • e50dfe3 tweak wire:dirty and see if the tests break
  • 6f045da Converts @test to test_ for PHPUNIT 12 support (#9213)
  • Additional commits viewable in compare view

Merge request reports