Low severityNVD Advisory· Published Dec 9, 2024· Updated Dec 16, 2024

Drupal core - Less critical - Gadget chain - SA-CORE-2024-006

CVE-2024-55636

Description

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Drupal core contains a PHP gadget chain that can enable remote code execution if combined with an insecure deserialization vulnerability.

Vulnerability

Overview

CVE-2024-55636 is a deserialization of untrusted data vulnerability in Drupal Core that allows object injection. The issue affects Drupal Core versions from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, and from 11.0.0 before 11.0.8 [2][3]. Drupal core contains a chain of methods (a so-called gadget chain) that becomes exploitable when an insecure deserialization vulnerability exists on the site [2].

Exploitation

This vulnerability is not directly exploitable on its own; it requires a separate flaw that allows an attacker to pass unsafe input to unserialize() [3]. The gadget chain itself poses no direct threat but serves as a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability [2]. The Drupal Security Team, including Drew Webber and Lee Rowlands, coordinated the fix [3].

Impact

If successfully combined with another exploit, this vulnerability could lead to arbitrary file deletion [3]. The fix involved adding type declarations to properties in certain Drupal core classes to prevent the deserialization attack [3][4]. Applications extending those classes may need to add the same type hints to avoid TypeError [3].

Mitigation

Drupal has released patched versions: 10.2.11, 10.3.9, and 11.0.8 [3]. Users on older versions should update immediately; versions prior to Drupal 10.2 are end-of-life and no longer receive security coverage [3]. Drupal 7 is not affected [3]. There are no known exploits in Drupal core that leverage this gadget chain [3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
drupal/corePackagist	>= 8.8.0, < 10.2.11	10.2.11
drupal/corePackagist	>= 10.3.0, < 10.3.9	10.3.9
drupal/corePackagist	>= 11.0.0, < 11.0.8	11.0.8
drupal/core-recommendedPackagist	>= 8.8.0, < 10.2.11	10.2.11
drupal/core-recommendedPackagist	>= 10.3.0, < 10.3.9	10.3.9
drupal/core-recommendedPackagist	>= 11.0.0, < 11.0.8	11.0.8
drupal/drupalPackagist	>= 8.8.0, < 10.2.11	10.2.11
drupal/drupalPackagist	>= 10.3.0, < 10.3.9	10.3.9
drupal/drupalPackagist	>= 11.0.0, < 11.0.8	11.0.8

Affected products

Drupal/Drupal Corellm-fuzzy
Range: >=8.0.0, <10.2.11; >=10.3.0, <10.3.9; >=11.0.0, <11.0.8
osv-coords4 versions
pkg:bitnami/drupal pkg:composer/drupal/core pkg:composer/drupal/core-recommended pkg:composer/drupal/drupal
>= 8.0.0, < 10.3.9+ 3 more
- (no CPE)range: >= 8.0.0, < 10.3.9
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
Drupal/Drupal Corev5
Range: 8.0.0

Patches

17f362b988e6

SA-CORE-2024-006 by mcdruid, larowlan

https://github.com/drupal/coreDave LongNov 20, 2024via ghsa

commit

1 file changed · +2 −1

lib/Drupal/Core/Config/StorageComparer.php+2 −1 modified

@@ -4,6 +4,7 @@
 
 use Drupal\Component\Datetime\Time;
 use Drupal\Component\Datetime\TimeInterface;
+use Drupal\Core\Cache\CacheBackendInterface;
 use Drupal\Core\Cache\MemoryBackend;
 use Drupal\Core\Cache\NullBackend;
 use Drupal\Core\Config\Entity\ConfigDependencyManager;
@@ -85,7 +86,7 @@ class StorageComparer implements StorageComparerInterface {
    *
    * @var \Drupal\Core\Cache\CacheBackendInterface
    */
-  protected $targetCacheStorage;
+  protected CacheBackendInterface $targetCacheStorage;
 
   /**
    * Indicates whether the target storage should be wrapped in a cache.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-938f-5r4f-h65vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-55636ghsaADVISORY
github.com/drupal/core/commit/17f362b988e6ad6bd5cc1e7e8a7a0804e1536fbcghsaWEB
www.drupal.org/sa-core-2024-006ghsaWEB

News mentions

Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
Drupal Security Advisories · Nov 20, 2024

cvss	0.065
epss	0.009
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000