Cyber Resilience

CVE-2024-55555

HighRCE

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4600 97.7th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55555 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Synacktiv (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

Invoice Ninja versions prior to 5.10.43 contain a remote code execution vulnerability that stems from a pre-authenticated route accepting a user-supplied hash parameter. The affected component is the route/{hash} endpoint defined in invoiceninja/routes/client.php, which passes the decrypted value directly to an unserialize call. Publicly available .env files in the product repository contain default APP_KEY values, lowering the barrier for attackers who obtain this key.

An attacker in possession of the APP_KEY can reach the unauthenticated route, supply a Laravel-encrypted payload that decrypts to a serialized object, and trigger one of several available gadget chains to achieve arbitrary command execution on the server. The flaw maps to CWE-502 and carries a CVSS 3.1 score of 8.8, reflecting network-accessible exploitation with high impact on confidentiality, integrity, and availability.

The referenced Synacktiv advisory and the patch commit d9302021472c3e7e23bac8c3d5fbec57a5f38f0c indicate that upgrading to version 5.10.43 addresses the issue by removing or hardening the exposed route and its deserialization path. The EPSS score has remained flat at 0.46 since disclosure, providing no indication of rising exploitation interest.

EU & UK References

Vulnerability details

Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the…

more

invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

RCE via unauthenticated deserialization on public web route directly enables T1190 (public-facing app exploitation) and arbitrary command execution via Unix shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1913Shared CWE-502
CVE-2026-32502Shared CWE-502
CVE-2026-24989Shared CWE-502
CVE-2025-26885Shared CWE-502
CVE-2025-30773Shared CWE-502
CVE-2026-25358Shared CWE-502
CVE-2026-29109Shared CWE-502
CVE-2024-11465Shared CWE-502
CVE-2026-25316Shared CWE-502
CVE-2025-69036Shared CWE-502

Affected Assets

Synacktiv
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the deserialization flaw in the unauthenticated /route/{hash} endpoint by applying the vendor patch released in Invoice Ninja version 5.10.43.

prevent

Validates the untrusted {hash} input parameter prior to decryption and unserialization, preventing injection of malicious serialized objects that trigger Laravel gadget chain RCE.

prevent

Restricts permitted actions without authentication, preventing unauthenticated access to the vulnerable /route/{hash} endpoint that enables pre-auth RCE.

References