Article Details

Laravel admin package Voyager vulnerable to one-click RCE flaw. Three vulnerabilities discovered in the open-source PHP package Voyager for managing Laravel applications could be used for remote code execution attacks. The issues remain unfixed and can be exploited against an authenticated Voyager user that clicks on a malicious link. Vulnerability researchers at SonarSource, a code quality and security company, say that they tried to report the flaws to the Voyager maintainers but received no reply within the 90-day window the company provides as per its vulnerability disclosure policy. Vulnerability details The SonarQube Cloud team found the first vulnerability in Voyager, an arbitrary file write, during its routine scans. Looking closer at the project, they discovered additional security issues that could be combined to run one-click remote code execution attacks on reachable Voyager instances. The three flaws are summarizes as follows: According to SonarQube Cloud researchers, they reported the three issues to Voyager maintainers over email and GitHub since September 11, 2024, but received no communication back. In the 90-day disclosure period, they tried multiple times to obtain a reply and inform that the public disclosure date was approaching. The researchers say that they also opened a security report via GitHub on November 28 and that they notified the Voyager maintainers that the 90-day disclosure window expired and they were about to share the technical details publicly. Impact and recommendations Voyager is primarily used by Laravel developers who need a pre-built admin panel to manage their applications. Typical users are web development companies, startups, freelance developers, Laravel hobbyists, and generally, small to medium-sized businesses that use Laravel for internal tools or CMS-based applications. The Voyager project is highly popular as it has been forked 2,700 times on GitHub, received more than 11,800 stars and counts millions of downloads. Given that the three flaws SonarQube discovered remain unpatched, Voyager users should consider restricting access to trusted users only, limiting "browse_media" permissions to prevent unauthorized file uploads, and using role-based access control (RBAC) to minimize exposure. Server-level security measures include disabling the execution of PHP files, using strict MIME type validation to reject polyglot files, and regularly monitoring logs for unusual file upload or access activity. If security is critical, avoid using Voyager in production environments until official patches are out, or consider migrating to another Laravel admin panel.