Listen to this Post
The vulnerability exists in the `MarkdownEditor::updatedAttachments()` Livewire handler of all versions prior to v1.3. When an authenticated user uploads a file via the editor’s file input, the handler calls `$file->store()` without any server‑side validation. No MIME type, file extension, or content inspection is performed. The file is stored to the disk defined by the config key livewire-markdown-editor.disk. In common deployments, this disk points to a public cloud bucket (e.g., AWS S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage) because `FILESYSTEM_DISK` is often set to such a service. Once uploaded, the file is served publicly with a `Content-Type` header guessed by the cloud provider. The client‑supplied original filename (getClientOriginalName()) is inserted verbatim into the generated markdown, enabling markdown injection via crafted filenames. The critical flaw is the complete absence of validation, allowing any file type (.html, .svg, .js, .php, .exe, etc.) to be uploaded. This leads to stored XSS on the storage domain (via .html or .svg files), hosting of phishing pages on the application’s own trusted storage domain, malware distribution from a domain that users trust, and markdown injection. A real‑world exploitation has been observed in production on a community platform.
dailycve form:
Platform: Laravel Livewire
Version: prior to v1.3
Vulnerability: Arbitrary file upload
Severity: Critical
date: 2026-05-04
Prediction: Upgrade to v1.3
Analytics under What Undercode Say:
Check installed version of livewire-markdown-editor composer show mckenziearts/livewire-markdown-editor List all files uploaded to public disk (if using local driver, but cloud requires API) For S3: aws s3 ls s3://your-bucket/path/ --recursive Search for suspicious HTML/JS files in uploads aws s3 ls s3://your-bucket/ --recursive | grep -E '.(html|svg|js|php|exe)$' Simulate a malicious upload with curl (authenticated session required) curl -X POST -F "attachments[][email protected]" https://target.com/livewire/upload
Exploit:
- Authenticate as any user with access to a page containing
<livewire:markdown-editor>. - Craft a malicious file (e.g., `xss.html` containing
<script>alert('XSS')</script>). - Upload the file using the editor’s file picker (no client‑side restrictions bypass needed).
- The file is stored to the public cloud bucket with a guessed Content‑Type (e.g.,
text/html). - Access the file via the public URL (predictable path, often within the storage domain).
- Optionally, set the filename to `[click](javascript:alert(‘XSS’))` to achieve markdown injection.
Protection from this CVE
- Upgrade to v1.3 or later immediately.
- If upgrade is impossible, disable the upload UI by adding `:show-upload=”false”` to every `
- After upgrade, validate that all uploaded files already in storage are safe (scan for malicious content).
- Configure the cloud bucket to enforce strict Content‑Type headers based on file extension or use a CDN with WAF.
- Implement server‑side validation manually by extending the component before v1.3 (e.g., using Laravel’s `Validation` rule on the file).
Impact
- Stored XSS on the storage domain, allowing session hijacking or defacement.
- Trust laundering: attackers host phishing pages on the application’s own storage domain (e.g., `https://storage.app.com/login.html`).
- Malware distribution from a domain associated with the legitimate application.
- Markdown injection in editor output via malicious filenames, leading to XSS or link manipulation.
- Full compromise of confidentiality and integrity if a `.php` file is uploaded and the cloud bucket is misconfigured to execute scripts (rare on S3 but possible on other object storage with CDN integration).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
