CVE-2024-55555
Published: 07 January 2025
Summary
CVE-2024-55555 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Synacktiv (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
Invoice Ninja versions prior to 5.10.43 contain a remote code execution vulnerability that stems from a pre-authenticated route accepting a user-supplied hash parameter. The affected component is the route/{hash} endpoint defined in invoiceninja/routes/client.php, which passes the decrypted value directly to an unserialize call. Publicly available .env files in the product repository contain default APP_KEY values, lowering the barrier for attackers who obtain this key.
An attacker in possession of the APP_KEY can reach the unauthenticated route, supply a Laravel-encrypted payload that decrypts to a serialized object, and trigger one of several available gadget chains to achieve arbitrary command execution on the server. The flaw maps to CWE-502 and carries a CVSS 3.1 score of 8.8, reflecting network-accessible exploitation with high impact on confidentiality, integrity, and availability.
The referenced Synacktiv advisory and the patch commit d9302021472c3e7e23bac8c3d5fbec57a5f38f0c indicate that upgrading to version 5.10.43 addresses the issue by removing or hardening the exposed route and its deserialization path. The EPSS score has remained flat at 0.46 since disclosure, providing no indication of rising exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52806
Vulnerability details
Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the…
more
invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via unauthenticated deserialization on public web route directly enables T1190 (public-facing app exploitation) and arbitrary command execution via Unix shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the deserialization flaw in the unauthenticated /route/{hash} endpoint by applying the vendor patch released in Invoice Ninja version 5.10.43.
Validates the untrusted {hash} input parameter prior to decryption and unserialization, preventing injection of malicious serialized objects that trigger Laravel gadget chain RCE.
Restricts permitted actions without authentication, preventing unauthenticated access to the vulnerable /route/{hash} endpoint that enables pre-auth RCE.