CVE-2024-48987

Vulnerability

Overview

CVE-2024-48987 is a remote code execution vulnerability in Snipe-IT versions prior to 7.0.10. The root cause lies in Laravel's cookie serialization mechanism, which can be abused when an attacker possesses the application's APP_KEY. The issue is exacerbated because Snipe-IT's repository includes default .env files containing easily guessable APP_KEY values, lowering the barrier for exploitation [1][2].

Exploitation

An unauthenticated attacker need only access the /login endpoint to receive an XSRF-TOKEN cookie [2]. Using a tool like laravel-crypto-killer, the attacker can bruteforce the cookie against a wordlist of known default APP_KEYs from Snipe-IT’s .env.example files. Once a valid key is identified, the attacker can craft a malicious serialized cookie payload that, when deserialized by the Laravel framework, achieves remote code execution [2]. No authentication is required; the attack is entirely pre-authentication if a default APP_KEY is in use.

Impact

Successful exploitation grants the attacker arbitrary code execution on the Snipe-IT server, potentially leading to full compromise of the asset management system and its underlying data [1][2]. Given that Snipe-IT is often deployed with internet-accessible login pages and that default keys are trivial to discover, the actual risk is high despite the conditional dependency on knowing the APP_KEY.

Mitigation

Snipe-IT version 7.0.10 disables cookie serialization, closing the attack vector [4]. Administrators should upgrade immediately and should never use the default APP_KEY values found in example configuration files. Rolling the APP_KEY is also strongly advised if there is any suspicion of prior exposure [4].