AIKIDO-2026-10350
laravel/pulse is vulnerable to Deserialization of Untrusted Data
71
High Risk
This Affects:
laravel/pulseTL;DR
Affected versions of this package unserialize data retrieved from Redis without restricting allowed classes, which may enable PHP Object Injection if the Redis instance is compromised or attacker-controlled. Because unserialize() can instantiate arbitrary PHP objects, malicious serialized payloads could trigger gadget chains through magic methods such as __wakeup() or __destruct(). An attacker who gains write access to Redis could inject crafted serialized objects into stored entries that are later deserialized by the application. It could lead to arbitrary code execution, file manipulation, or privilege escalation depending on available gadget chains in the application or its dependencies.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
laravel/pulse is vulnerable to Deserialization of Untrusted Data in versions 1.0.0 - 1.6.0.
How to fix this
Upgrade the laravel/pulse library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant