GHSA-R33W-FG8J-9C94
Vulnerability from github – Published: 2026-02-12 22:11 – Updated: 2026-02-12 22:11Description
MagicLink stores serialized action objects in the magic_links.action database column and deserializes them without integrity validation or class allowlisting in src/MagicLink.php and src/Actions/ResponseAction.php. An attacker with the ability to manipulate database records (e.g., via SQL injection or compromised admin access) could inject malicious serialized objects containing arbitrary closures, leading to Remote Code Execution (RCE) when the magic link is visited.
Resolution
The vulnerability has been mitigated through HMAC-signed serialization using the application key, class allowlisting restricted to ActionAbstract subclasses and framework classes, strict type validation preventing arbitrary object storage, and backward compatibility support for legacy data via allowed_classes in unserialize(). Implementation includes a new Serializable security class with signing/verification, refactored getter/setter methods in MagicLink.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "cesargb/laravel-magiclink"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.25.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-12T22:11:56Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Description\n\nMagicLink stores serialized action objects in the `magic_links.action` database column and deserializes them without integrity validation or class allowlisting in [src/MagicLink.php](src/MagicLink.php#L59-L77) and [src/Actions/ResponseAction.php](src/Actions/ResponseAction.php#L64-L77). An attacker with the ability to manipulate database records (e.g., via SQL injection or compromised admin access) could inject malicious serialized objects containing arbitrary closures, leading to Remote Code Execution (RCE) when the magic link is visited.\n\n## Resolution\n\nThe vulnerability has been mitigated through HMAC-signed serialization using the application key, class allowlisting restricted to `ActionAbstract` subclasses and framework classes, strict type validation preventing arbitrary object storage, and backward compatibility support for legacy data via `allowed_classes` in `unserialize()`. Implementation includes a new [Serializable](src/Security/Serializable/Serializable.php) security class with signing/verification, refactored getter/setter methods in MagicLink.",
"id": "GHSA-r33w-fg8j-9c94",
"modified": "2026-02-12T22:11:56Z",
"published": "2026-02-12T22:11:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cesargb/laravel-magiclink/security/advisories/GHSA-r33w-fg8j-9c94"
},
{
"type": "PACKAGE",
"url": "https://github.com/cesargb/laravel-magiclink"
},
{
"type": "WEB",
"url": "https://github.com/cesargb/laravel-magiclink/releases/tag/v2.25.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.