A critical remote code execution vulnerability exists in the Laravel Reverb real-time communication backend. Attackers with access to the associated Redis server can execute arbitrary code on the application server, potentially leading to a full system compromise. This vulnerability is present when the horizontal scaling feature is enabled and affects versions 1.6.3 and below.

The vulnerability is an insecure deserialization flaw. When horizontal scaling is enabled (REVERB_SCALING_ENABLED=true), Laravel Reverb retrieves data from a Redis channel and passes it directly to PHP's unserialize() function. The function is called without any class restrictions, allowing an attacker who can write data to the Redis server to inject a specially crafted serialized PHP object. Upon deserialization, this object can trigger a gadget chain, leading to Remote Code Execution (RCE) in the context of the Laravel application.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to gain complete control over the affected application server. The potential consequences include theft or modification of sensitive application data, deployment of ransomware or other malware, service disruption, and using the compromised server as a pivot point to attack other internal network resources. The business risks are severe, encompassing major data breaches, significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Update Laravel Reverb to the patched version 1.7.0 or later. After patching, monitor application and server logs for any signs of exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring: Monitor Redis server logs for unusual or suspicious commands, particularly those containing serialized PHP object strings (e.g., starting with O:). Review application logs for errors or warnings related to the unserialize() function. Monitor server process lists and network traffic for unexpected outbound connections or command execution originating from the web server process.

Compensating Controls: If immediate patching is not feasible, apply the following workarounds to mitigate the risk:

• Set REVERB_SCALING_ENABLED=false in the environment configuration to disable the vulnerable scaling logic. This is only a valid solution for environments that do not require horizontal scaling (i.e., use only one Reverb node).
• Secure the Redis server by requiring a strong password for authentication.
• Implement strict firewall rules to ensure the Redis service is only accessible from trusted hosts on a private network or via the local loopback interface.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of complete system compromise, immediate remediation is strongly recommended. Organizations should prioritize updating Laravel Reverb to version 1.7.0 or later. While this CVE is not currently on the CISA KEV list, its severity warrants treating it with the highest urgency. In addition to patching, organizations should implement the recommended compensating controls, such as securing Redis access, as a permanent defense-in-depth measure.