Orchid Deserialization of Untrusted Data vulnerability leads to Remote Code Execution
Description
Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the _state query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
orchid/platformPackagist | >= 14.0.0-alpha4, < 14.5.0 | 14.5.0 |
Affected products
2- Range: >= 14.0.0-alpha4, < 14.5.0
Patches
Vulnerability mechanics
Root cause
"Deserialization of untrusted data from the `_state` query parameter without sufficient validation allows remote code execution [CWE-502]."
Attack vector
An attacker can send a crafted HTTP request containing a malicious serialized payload in the `_state` query parameter. The application deserializes this untrusted data without sufficient validation, leading to remote code execution [CWE-502]. The attack requires no special authentication or network position beyond the ability to reach the affected endpoint. The advisory does not specify the exact deserialization mechanism or whether the payload must be base64-encoded or otherwise wrapped.
Affected code
The vulnerability is triggered through the `_state` query parameter, which is deserialized without proper validation. The patch does not expose the exact file or function responsible for deserialization, but the CHANGELOG mentions "Automatic detection of the need to transmission state" as the fix [patch_id=1640691]. The version bump in `src/Platform/Dashboard.php` confirms the release boundary.
What the fix does
The patch changes the version from 14.4.0 to 14.5.0 in `src/Platform/Dashboard.php` and adds a CHANGELOG entry stating "Automatic detection of the need to transmission state" [patch_id=1640691]. This indicates that the fix introduces logic to determine whether state transmission is actually required, rather than unconditionally deserializing the `_state` parameter. By detecting when state transmission is needed, the patch prevents untrusted serialized data from being processed, closing the remote code execution vector [CWE-502].
Preconditions
- networkAttacker must be able to send HTTP requests to the affected application endpoint that accepts the `_state` query parameter.
- authNo authentication is required; the advisory does not mention any auth precondition.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-ph6g-p72v-pc3pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36825ghsaADVISORY
- github.com/orchidsoftware/platform/releases/tag/14.5.0ghsax_refsource_MISCWEB
- github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3pghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.