Platform
drupal
Component
drupal
Fixed in
10.2.11
10.3.9
11.0.8
10.2.11
10.2.11
10.2.11
10.2.11
CVE-2024-55637 identifies a potential PHP Object Injection vulnerability within Drupal Core. While this vulnerability is not directly exploitable on its own, it could be leveraged for Remote Code Execution (RCE) if combined with another exploit allowing unsafe input to unserialize(). This vulnerability affects Drupal Core versions up to 9.5.9 and has been addressed in version 10.2.11.
The core of the vulnerability lies in the potential for an attacker to inject malicious PHP objects. While Drupal Core currently lacks known exploits that directly trigger this injection, the presence of this vulnerability significantly increases the attack surface. If an attacker can find or create a separate vulnerability allowing them to control input passed to unserialize(), they could then exploit CVE-2024-55637 to execute arbitrary code on the server. The potential impact is severe, ranging from data breaches and website defacement to complete system compromise and lateral movement within the network. This is particularly concerning for organizations relying on Drupal for critical applications or sensitive data storage.
CVE-2024-55637 is currently not considered actively exploited in the wild. It is not listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not widely available, which contributes to the low current risk. However, the vulnerability's potential for RCE warrants careful attention and prompt remediation, especially given the complexity of Drupal deployments and the potential for undiscovered vulnerabilities in custom modules.
Exploit Status
EPSS
7.61% (92% percentile)
CVSS Vector
The primary mitigation for CVE-2024-55637 is to upgrade Drupal Core to version 10.2.11 or later. This version includes type constraints on properties within Drupal core classes, effectively preventing the object injection. If immediate upgrading is not feasible, consider implementing strict input validation and sanitization routines to prevent any potentially unsafe data from reaching the unserialize() function. While not a direct fix, this can reduce the likelihood of exploitation. Regularly review and update all Drupal modules and themes to ensure they are free from vulnerabilities that could be exploited in conjunction with CVE-2024-55637. After upgrade, confirm by verifying the Drupal core version is 10.2.11 or higher.
Update Drupal Core to the latest available version. For versions 8.x to 10.2.x, update to version 10.2.11 or higher. For versions 10.3.x, update to version 10.3.9 or higher. For versions 11.0.x, update to version 11.0.8 or higher.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-55637 is a CRITICAL vulnerability in Drupal Core where malicious PHP objects could potentially be injected, leading to Remote Code Execution if combined with another exploit.
Yes, if you are running Drupal Core versions 9.5.9 or earlier, you are potentially affected by this vulnerability.
Upgrade Drupal Core to version 10.2.11 or later to mitigate this vulnerability. Implement strict input validation as an interim measure.
Currently, there is no evidence of active exploitation in the wild, but the potential for RCE warrants prompt remediation.
Refer to the official Drupal security advisory at https://www.drupal.org/security/advisories/cve-2024-55637 for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.
Video Scenes
The primary mitigation for CVE-2024-55637 is to upgrade Drupal Core to version 10.2.11 or later. This version includes type constraints on properties within Drupal core classes, effectively preventing the object injection. If immediate upgrading is not feasible, consider implementing strict input validation and sanitization routines to prevent any potentially unsafe data from reaching the `unserialize()` function. While not a direct fix, this can reduce the likelihood of exploitation. Regularly review and update all Drupal modules and themes to ensure they are free from vulnerabilities that could be exploited in conjunction with CVE-2024-55637. After upgrade, confirm by verifying the Drupal core version is 10.2.11 or higher.