GHSA-W9MX-XMG4-GC4R

Vulnerability from github – Published: 2026-07-09 20:52 – Updated: 2026-07-09 20:52
VLAI
Summary
laravel-backup-restore has an OS Command Injection during database restore
Details

Summary

A crafted backup archive can trigger OS command injection during database restore. The restore workflow extracts a ZIP archive, enumerates files under db-dumps, converts the dump path to an absolute path, and passes that path into database import commands that are built as shell command strings.

The dump filename is not shell-escaped before it is interpolated into commands such as:

  • mysql ... < {dumpFile}
  • gunzip -c {dumpFile} / gunzip < {dumpFile}
  • psql ... < {dumpFile}
  • sqlite3 ... < {dumpFile}

Because Illuminate\Support\Facades\Process::run(string) uses Symfony Process::fromShellCommandline(), shell metacharacters in the dump filename are interpreted by /bin/sh on Unix-like systems or by the platform shell on Windows.

Impact

If an attacker can cause an operator or automation to restore a malicious backup archive, the attacker can execute arbitrary shell commands as the PHP/Laravel application user on the system performing the restore. This can lead to application compromise, database credential disclosure, tampering with restored data, and further lateral movement depending on deployment permissions.

This is not about malicious SQL inside the dump. The command injection is carried in the ZIP entry filename under db-dumps, before the dump content is imported.

Patches

The vulnerability has been fixed in v1.9.4 of the package.

Workarounds

There is no configuration option that disables the vulnerable code path. Upgrading to the patched release is the only complete fix.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "wnx/laravel-backup-restore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T20:52:57Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\nA crafted backup archive can trigger OS command injection during database restore. The restore workflow extracts a ZIP archive, enumerates files under `db-dumps`, converts the dump path to an absolute path, and passes that path into database import commands that are built as shell command strings.\n\nThe dump filename is not shell-escaped before it is interpolated into commands such as:\n\n- `mysql ... \u003c {dumpFile}`\n- `gunzip -c {dumpFile}` / `gunzip \u003c {dumpFile}`\n- `psql ... \u003c {dumpFile}`\n- `sqlite3 ... \u003c {dumpFile}`\n\nBecause `Illuminate\\Support\\Facades\\Process::run(string)` uses Symfony `Process::fromShellCommandline()`, shell metacharacters in the dump filename are interpreted by `/bin/sh` on Unix-like systems or by the platform shell on Windows.\n\n### Impact\nIf an attacker can cause an operator or automation to restore a malicious backup archive, the attacker can execute arbitrary shell commands as the PHP/Laravel application user on the system performing the restore. This can lead to application compromise, database credential disclosure, tampering with restored data, and further lateral movement depending on deployment permissions.\n\nThis is not about malicious SQL inside the dump. The command injection is carried in the ZIP entry filename under `db-dumps`, before the dump content is imported.\n\n### Patches\nThe vulnerability has been fixed in v1.9.4 of the package.\n\n### Workarounds\nThere is no configuration option that disables the vulnerable code path. Upgrading to the patched release is the only complete fix.",
  "id": "GHSA-w9mx-xmg4-gc4r",
  "modified": "2026-07-09T20:52:57Z",
  "published": "2026-07-09T20:52:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stefanzweifel/laravel-backup-restore/security/advisories/GHSA-w9mx-xmg4-gc4r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stefanzweifel/laravel-backup-restore"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "laravel-backup-restore has an OS Command Injection during database restore"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…