GHSA-R33W-FG8J-9C94: Magic Tricks or Dark Arts? RCE in Laravel MagicLink

# security# cve# cybersecurity# ghsa
GHSA-R33W-FG8J-9C94: Magic Tricks or Dark Arts? RCE in Laravel MagicLinkCVE Reports

Magic Tricks or Dark Arts? RCE in Laravel MagicLink Vulnerability ID:...

Magic Tricks or Dark Arts? RCE in Laravel MagicLink

Vulnerability ID: GHSA-R33W-FG8J-9C94
CVSS Score: 8.8
Published: 2026-02-12

A critical insecure deserialization vulnerability in cesargb/laravel-magiclink allows attackers with database write access to execute arbitrary code. The package, designed to create passwordless login links, stored serialized PHP objects directly in the database without integrity checks. This flaw turns a standard SQL Injection or low-privileged database access into a full Remote Code Execution (RCE) event.

TL;DR

The cesargb/laravel-magiclink package (< 2.25.1) trusts the database too much. It stores serialized PHP actions in the magic_links table and unserializes them when a user clicks the link. If an attacker can modify this table (via SQLi or compromised credentials), they can inject a malicious PHP object (gadget chain) that executes code upon deserialization. The fix involves HMAC signing to ensure data integrity.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: GHSA-R33W-FG8J-9C94
  • CWE: CWE-502 (Deserialization of Untrusted Data)
  • CVSS Score: 8.8 (High)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector: Network (requires DB Write Access)
  • Impact: Remote Code Execution (RCE)

Affected Systems

  • cesargb/laravel-magiclink < 2.25.1
  • Laravel applications using MagicLink
  • cesargb/laravel-magiclink: < 2.25.1 (Fixed in: 2.25.1)

Exploit Details

  • GitHub Advisory: Advisory details indicating the lack of integrity checks on deserialized data.

Mitigation Strategies

  • Update to version 2.25.1 or later immediately.
  • Audit code for other instances of unserialize() on database columns.
  • Implement strict database permissions (principle of least privilege) to limit the blast radius of SQL injection.

Remediation Steps:

  1. Run composer update cesargb/laravel-magiclink.
  2. Verify the installed version is >= 2.25.1.
  3. Purge old/expired magic links from the database as they may be invalid after the update.
  4. Monitor logs for InvalidSignatureException which may indicate attempted exploitation.

References

Read the full report for GHSA-R33W-FG8J-9C94 on our website for more details including interactive diagrams and full exploit analysis.