VulnerableCode Package Details - pkg:composer/livewire/livewire@2.4.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-h7s5-tq2x-23gv Aliases: CVE-2024-47823 GHSA-f3cx-396f-7jqp	Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.	2.12.7 Affected by 0 other vulnerabilities. 3.5.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-xved-bhsc-rfg1 Aliases: CVE-2024-22859 GHSA-2cjh-75gp-34gc	Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.	3.0.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-h7s5-tq2x-23gv
Aliases:
CVE-2024-47823
GHSA-f3cx-396f-7jqp

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.

2.12.7
Affected by 0 other vulnerabilities.

3.5.2
Affected by 1 other vulnerability.

VCID-xved-bhsc-rfg1
Aliases:
CVE-2024-22859
GHSA-2cjh-75gp-34gc

Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.

3.0.4
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:42:31.096692+00:00	GitLab Importer	Affected by	VCID-h7s5-tq2x-23gv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/livewire/livewire/CVE-2024-47823.yml	38.6.0
2026-06-12T19:18:15.388573+00:00	GitLab Importer	Affected by	VCID-xved-bhsc-rfg1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/livewire/livewire/CVE-2024-22859.yml	38.6.0

2026-06-12T19:42:31.096692+00:00

GitLab Importer

Affected by

VCID-h7s5-tq2x-23gv

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/livewire/livewire/CVE-2024-47823.yml

38.6.0

2026-06-12T19:18:15.388573+00:00

GitLab Importer

Affected by

VCID-xved-bhsc-rfg1

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/livewire/livewire/CVE-2024-22859.yml

38.6.0

Next non-vulnerable version	2.12.7
Latest non-vulnerable version	3.6.4
Risk	4.0