Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
Description
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core contains a deserialization gadget chain that, combined with an untrusted unserialize() call, could enable remote code execution.
Vulnerability
Overview
CVE-2024-55638 is a deserialization of untrusted data vulnerability in Drupal core that leads to PHP object injection. The core software includes a chain of methods (a "gadget chain") that can be exploited when an insecure deserialization vulnerability exists on the site [1][2]. This chain itself is not directly exploitable but provides a vector for remote code execution if the application deserializes untrusted data from another source [3].
Exploitation
Conditions
The vulnerability is mitigated by the requirement that an attacker must first exploit a separate flaw to pass malicious input to the unserialize() function [3]. There are no known such exploits in Drupal core, making this a chained vulnerability that depends on another weakness. Affected versions include Drupal 7.0 before 7.102, 8.0.0 before 10.2.11, and 10.3.0 before 10.3.9 [1][2].
Impact
If successfully exploited in combination with another vulnerability, an attacker could achieve remote code execution on the affected server. The gadget chain provides the required execution payload, turning a simple deserialization bug into a critical security breach [2][3].
Mitigation
Drupal has released patches in versions 7.102, 10.2.11, and 10.3.9. Users should update immediately. Versions of Drupal 10 prior to 10.2 are end-of-life and no longer receive security coverage; Drupal 8 and 9 are also end-of-life [3]. Site administrators using third-party database drivers should review the release notes for potential additional configuration steps [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.8.0, < 10.2.11 | 10.2.11 |
drupal/corePackagist | >= 10.3.0, < 10.3.9 | 10.3.9 |
drupal/corePackagist | >= 7.0, < 7.102 | 7.102 |
drupal/core-recommendedPackagist | >= 8.8.0, < 10.2.11 | 10.2.11 |
drupal/core-recommendedPackagist | >= 10.3.0, < 10.3.9 | 10.3.9 |
drupal/core-recommendedPackagist | >= 7.0, < 7.102 | 7.102 |
drupal/drupalPackagist | >= 8.8.0, < 10.2.11 | 10.2.11 |
drupal/drupalPackagist | >= 10.3.0, < 10.3.9 | 10.3.9 |
drupal/drupalPackagist | >= 7.0, < 7.102 | 7.102 |
Affected products
6- Range: >=7.0 <7.102, >=8.0.0 <10.2.11, >=10.3.0 <10.3.9
- osv-coords4 versionspkg:bitnami/drupalpkg:composer/drupal/corepkg:composer/drupal/core-recommendedpkg:composer/drupal/drupal
>= 7.0.0, < 10.3.9+ 3 more
- (no CPE)range: >= 7.0.0, < 10.3.9
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
- Drupal/Drupal Corev5Range: 7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gvf2-2f4g-jqf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-55638ghsaADVISORY
- www.drupal.org/sa-core-2024-008ghsaWEB
News mentions
1- Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008Drupal Security Advisories · Nov 20, 2024