Platform
drupal
Component
drupal
Fixed in
10.2.11
10.3.9
11.0.8
10.2.11
10.2.11
10.2.11
10.2.11
CVE-2024-55636 describes a potential PHP Object Injection vulnerability discovered in Drupal Core. While not directly exploitable on its own, successful exploitation, combined with another vulnerability allowing unsafe input to unserialize(), could lead to arbitrary file deletion. This vulnerability affects Drupal Core versions up to 9.5.9 and is addressed in version 10.2.11.
The primary impact of CVE-2024-55636 lies in its potential for arbitrary file deletion. An attacker, possessing a separate vulnerability to inject malicious data into the unserialize() function, could leverage this object injection to delete critical files on the server. This could lead to complete system compromise, denial of service, or data loss. Although the vulnerability is not directly exploitable, the combination with another exploit significantly elevates the risk, particularly in environments with complex configurations or third-party modules introducing potential injection points.
CVE-2024-55636 is not currently known to be actively exploited. It was publicly disclosed on December 10, 2024. The vulnerability's reliance on a separate exploit significantly reduces its immediate risk, but the potential for combined attacks warrants attention. The CVSS score of 9.8 reflects the severity if successfully exploited.
Exploit Status
EPSS
8.79% (92% percentile)
CVSS Vector
The primary mitigation for CVE-2024-55636 is upgrading Drupal Core to version 10.2.11 or later. This release includes type declarations for properties in several core classes, preventing the object injection. While a direct exploit is not known, review all third-party modules and custom code for potential vulnerabilities that could allow input to unserialize(). Consider implementing stricter input validation and sanitization practices to further reduce the attack surface. After upgrading, confirm the fix by verifying the presence of type declarations in relevant Drupal core classes.
Update Drupal Core to the latest available version. For versions 8.x to 10.2.x, update to version 10.2.11 or higher. For versions 10.3.x, update to version 10.3.9 or higher. For versions 11.0.x, update to version 11.0.8 or higher.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-55636 is a critical vulnerability in Drupal Core where an attacker, combined with another exploit, could potentially delete files. It requires a separate vulnerability to be exploitable.
If you are running Drupal Core versions 9.5.9 or earlier, you are potentially affected. Upgrade to 10.2.11 or later to mitigate the risk.
Upgrade Drupal Core to version 10.2.11 or later. Review third-party modules and custom code for potential vulnerabilities.
Currently, there are no reports of CVE-2024-55636 being actively exploited, but the potential for combined attacks remains a concern.
Refer to the official Drupal security advisory at https://www.drupal.org/security/advisories/cve-2024-55636 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.