CVE-2024-55417: 
PHP vulnerability analysis and mitigation

DevDojo Voyager through version 1.8.0 contains a critical vulnerability (CVE-2024-55417) that allows authenticated users to bypass file type verification when uploading files via the /admin/media/upload endpoint. This vulnerability enables attackers to upload web shells, potentially leading to arbitrary code execution on the server. The vulnerability was discovered in September 2024 and publicly disclosed in January 2025 after multiple unsuccessful attempts to contact the project maintainers (SonarSource Blog).

The vulnerability exists in Voyager's media upload component where the MIME type verification can be bypassed. While the system attempts to verify file types using Laravel's getMimeType function, attackers can craft polyglot files that appear as legitimate image or video files but contain executable PHP code. The system's default allowedMimeTypes list includes seemingly harmless content types such as image/jpeg, image/png, image/gif, image/bmp, and video/mp4. The vulnerability has been assigned a CVSS 3.1 Base Score of 4.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server through uploaded web shells. The impact is particularly severe when combined with other vulnerabilities in the system, as it can lead to complete server compromise, database modification, credential theft, and potential escalation to full server takeover (Hacker News).

As of version 1.8.0, no official patches are available to address this vulnerability. Users are strongly advised to carefully consider using this project in their applications and exercise extreme caution. Organizations should implement additional security controls, such as strict access controls to admin interfaces and careful monitoring of file uploads (SonarSource Blog).

The security community has expressed significant concern about the vulnerability, particularly due to Voyager's popularity with over 11,000 GitHub stars and millions of downloads. The lack of response from project maintainers despite multiple attempts to contact them has further heightened these concerns (SonarSource Blog).