VDB
KO
HIGH 8.0

GHSA-w9mx-xmg4-gc4r

laravel-backup-restore has an OS Command Injection during database restore

Details

## Summary A crafted backup archive can trigger OS command injection during database restore. The restore workflow extracts a ZIP archive, enumerates files under `db-dumps`, converts the dump path to an absolute path, and passes that path into database import commands that are built as shell command strings.

The dump filename is not shell-escaped before it is interpolated into commands such as:

- `mysql ... < {dumpFile}` - `gunzip -c {dumpFile}` / `gunzip < {dumpFile}` - `psql ... < {dumpFile}` - `sqlite3 ... < {dumpFile}`

Because `Illuminate\Support\Facades\Process::run(string)` uses Symfony `Process::fromShellCommandline()`, shell metacharacters in the dump filename are interpreted by `/bin/sh` on Unix-like systems or by the platform shell on Windows.

### Impact If an attacker can cause an operator or automation to restore a malicious backup archive, the attacker can execute arbitrary shell commands as the PHP/Laravel application user on the system performing the restore. This can lead to application compromise, database credential disclosure, tampering with restored data, and further lateral movement depending on deployment permissions.

This is not about malicious SQL inside the dump. The command injection is carried in the ZIP entry filename under `db-dumps`, before the dump content is imported.

### Patches The vulnerability has been fixed in v1.9.4 of the package.

### Workarounds There is no configuration option that disables the vulnerable code path. Upgrading to the patched release is the only complete fix.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / wnx/laravel-backup-restore
Introduced in: 0 Fixed in: 1.9.4
Fix composer require wnx/laravel-backup-restore:^1.9.4

References