Description
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).
Published: 2026-01-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Laravel Reverb permits deserialization of data received from a Redis channel through PHP’s unserialize() without class restrictions, enabling an attacker to instantiate arbitrary objects that can trigger code execution when horizontal scaling is enabled. The vulnerability is flagged as CWE‑502, reflecting insecure deserialization that can be leveraged to run malicious code on the server. This flaw directly threatens the confidentiality, integrity, and availability of any application that relies on Reverb for real‑time communication, because the attacker can execute arbitrary PHP code with the privileges of the process that runs Reverb.

Affected Systems

Applications using Laravel Reverb version 1.6.3 or earlier with REVERB_SCALING_ENABLED set to true are impacted. The issue has been corrected starting with Reverb 1.7.0. It also requires a working Redis instance; the flaw manifests only when horizontal scaling is activated.

Risk and Exploitability

The CVSS score of 9.8 classifies it as critical, and the EPSS score of less than 1% indicates low current exploitation probability, although the high severity warrants immediate attention. Exploitation requires access to a Redis instance that is not protected by authentication, which is common in many deployments. Attackers can inject crafted payloads into Redis channels, which are then unserialized by Reverb, resulting in remote code execution. The flaw is not listed in the KEV catalog but its severity and the straightforward attack path make it a high‑risk vulnerability if left unpatched.

Generated by OpenCVE AI on April 18, 2026 at 04:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Laravel Reverb to version 1.7.0 or later where the vulnerable logic has been removed.
  • If an upgrade is not feasible, disable horizontal scaling by setting REVERB_SCALING_ENABLED=false to bypass the unsafe deserialization path entirely.
  • Apply strong authentication to the Redis server and restrict its network exposure to a private subnet or loopback interface to prevent unauthenticated access to the channel data.

Generated by OpenCVE AI on April 18, 2026 at 04:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m27r-m6rx-mhm4 Laravel Redis Horizontal Scaling Insecure Deserialization
History

Fri, 06 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:laravel:reverb:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Laravel
Laravel reverb
Vendors & Products Laravel
Laravel reverb

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).
Title Laravel Redis Horizontal Scaling Insecure Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Laravel Reverb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:49:37.182Z

Reserved: 2026-01-13T18:22:43.980Z

Link: CVE-2026-23524

cve-icon Vulnrichment

Updated: 2026-01-22T15:13:35.611Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T22:15:50.280

Modified: 2026-03-06T20:02:37.250

Link: CVE-2026-23524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses