High severityNVD Advisory· Published Dec 9, 2024· Updated Dec 16, 2024

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007

CVE-2024-55637

Description

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Drupal core contains a PHP object injection gadget chain that, combined with another vulnerability, could lead to remote code execution; patched in versions 10.2.11, 10.3.9, and 11.0.8.

CVE-2024-55637 describes a deserialization gadget chain in Drupal core that, while not directly exploitable, can be used to achieve remote code execution if an attacker can trigger deserialization of untrusted data via a separate vulnerability [2]. The root cause is that certain classes in Drupal core contain properties that, when deserialized, can invoke a chain of methods leading to arbitrary code execution. The Drupal security advisory (SA-CORE-2024-007) notes that this is a potential PHP Object Injection vulnerability that requires another exploit to pass unsafe input to unserialize() [3].

The attack surface requires the presence of a separate vulnerability that allows an attacker to supply untrusted data to a deserialization call. No authentication is needed if such a vulnerability exists. The gadget chain itself is a vector that amplifies the impact of an insecure deserialization flaw. The fix, visible in the commit [4], adds type hints to properties such as $query in the ViewExecutable class, which prevents the gadget chain from being triggered during deserialization.

If successfully exploited, an attacker could achieve remote code execution on the affected Drupal site. However, the Drupal Security Team states that there are no known exploits in Drupal core that directly allow untrusted deserialization, and the issue is rated as moderately critical [3].

The vulnerability affects Drupal core versions from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, and from 11.0.0 before 11.0.8. Drupal 7 is not affected. Users are advised to update to the latest patched versions: 10.2.11, 10.3.9, or 11.0.8. Older versions (Drupal 8, 9, and 10 prior to 10.2) are end-of-life and no longer receive security coverage [3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
drupal/corePackagist	>= 8.8.0, < 10.2.11	10.2.11
drupal/corePackagist	>= 10.3.0, < 10.3.9	10.3.9
drupal/corePackagist	>= 11.0.0, < 11.0.8	11.0.8
drupal/core-recommendedPackagist	>= 8.8.0, < 10.2.11	10.2.11
drupal/core-recommendedPackagist	>= 10.3.0, < 10.3.9	10.3.9
drupal/core-recommendedPackagist	>= 11.0.0, < 11.0.8	11.0.8
drupal/drupalPackagist	>= 8.8.0, < 10.2.11	10.2.11
drupal/drupalPackagist	>= 10.3.0, < 10.3.9	10.3.9
drupal/drupalPackagist	>= 11.0.0, < 11.0.8	11.0.8

Affected products

Drupal/Drupal Corellm-fuzzy
Range: >=8.0.0, <10.2.11; >=10.3.0, <10.3.9; >=11.0.0, <11.0.8
osv-coords4 versions
pkg:bitnami/drupal pkg:composer/drupal/core pkg:composer/drupal/core-recommended pkg:composer/drupal/drupal
>= 8.0.0, < 10.3.9+ 3 more
- (no CPE)range: >= 8.0.0, < 10.3.9
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
Drupal/Drupal Corev5
Range: 8.0.0

Patches

1664030d399c

SA-CORE-2024-007 by mcdruid, larowlan

https://github.com/drupal/coreDave LongNov 20, 2024via ghsa

commit

1 file changed · +2 −1

modules/views/src/ViewExecutable.php+2 −1 modified

@@ -8,6 +8,7 @@
 use Drupal\Core\Routing\RouteProviderInterface;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\views\Plugin\views\display\DisplayRouterInterface;
+use Drupal\views\Plugin\views\query\QueryPluginBase;
 use Drupal\views\Plugin\ViewsPluginManager;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -219,7 +220,7 @@ class ViewExecutable {
    *
    * @var \Drupal\views\Plugin\views\query\QueryPluginBase
    */
-  public $query = NULL;
+  public ?QueryPluginBase $query = NULL;
 
   /**
    * The used pager plugin used by the current executed view.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w6rx-9g2x-mg5gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-55637ghsaADVISORY
github.com/drupal/core/commit/1664030d399c73b4144f410f2ccc68c66a947f8dghsaWEB
www.drupal.org/sa-core-2024-007ghsaWEB

News mentions

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
Drupal Security Advisories · Nov 20, 2024

cvss	0.455
epss	0.008
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000