A critical One-Click Remote Code Execution (RCE) vulnerability has been discovered in Voyager, a widely-used open-source PHP package for Laravel applications.
The flaw, which exploits arbitrary file write and MIME type handling, can allow attackers to execute malicious code on servers hosting the software.
Despite multiple disclosure attempts, the issue remains unpatched in the latest Voyager version (1.8.0).
Exploiting MIME Type Inference
The vulnerability stems from Voyager’s media upload component, which uses Laravel’s MIME type-sniffing mechanism to validate uploaded files.
While this mechanism is intended to enhance security by analyzing file content, it can be manipulated.
Specifically, attackers can craft “polyglot files” files that appear as legitimate media formats but conceal malicious PHP scripts.
Coupled with the absence of proper file extension checks, the flaw enables an attacker to execute code on the server by uploading a file disguised as an image or video but containing executable PHP code.
A Single Click with Devastating Consequences
To exploit this flaw, an attacker must convince an authenticated user with specific “browse_media” permissions to click on a malicious link.
Once clicked, the crafted payload triggers the execution of arbitrary PHP code on the server.
The vulnerability’s impact is further amplified when combined with Cross-Site Scripting (XSS) found in Voyager’s /admin/compass endpoint.
By leveraging XSS, attackers can execute operations on behalf of users, such as data leakage, file deletion, and privilege escalation.
Further analysis revealed related vulnerabilities, such as arbitrary file deletion and leakage via poorly sanitized file inputs in Voyager’s log-related features.
These issues can potentially disrupt server availability entirely or provide attackers access to sensitive server files.
Despite responsible disclosure efforts following a 90-day timeline, including email and GitHub reports to the project maintainers, no response or fix has been provided.
The SonaSource researchers have publicly disclosed the vulnerabilities to alert the community about the risks.
Administrators using Voyager are strongly urged to limit user access to functions like “browse_media” and implement additional server-side filtering mechanisms to block malicious file uploads.
Monitoring server logs for suspicious activity and isolating Voyager instances wherever possible are also advised.
This vulnerability highlights the need for rigorous security practices, especially in widely-used open-source projects.
Until a patch is released, users are encouraged to exercise extreme caution when deploying Voyager in production environments.
 vulnerability has been discovered in Voyager, a widely-used open-source PHP package for Laravel applications.){kind=link}