Executive Summary
A critical remote code execution vulnerability (CVE-2026-31843) has been identified in the goodoneuz/pay-uz Laravel payment integration package, affecting all versions up to and including 2.2.24. The flaw carries a CVSS score of 9.8 and requires no authentication to exploit.
The vulnerability stems from a /payment/api/editable/update endpoint registered via Route::any() with no authentication middleware. An unauthenticated attacker can POST malicious PHP code to this endpoint, causing it to be written directly into an existing payment hook file. The injected code is then executed during the next legitimate payment workflow that triggers the hook.
Applications using this package for payment processing (UzCard, Humo, PayMe, Click integrations) are at direct risk of full server compromise.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-31843 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-434 — Unrestricted Upload of File with Dangerous Type |
| Type | Remote Code Execution via File Overwrite |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Update to 2.2.25+ or remove the package |
Affected Versions
| Package | Affected Versions | Fixed Version |
|---|---|---|
| goodoneuz/pay-uz | <= 2.2.24 | 2.2.25+ |
Technical Analysis
Root Cause
The goodoneuz/pay-uz package registers a route for updating payment hook configuration at /payment/api/editable/update. This route is defined with Route::any(), accepting all HTTP methods, and is registered without any authentication or authorization middleware.
The endpoint accepts user-supplied PHP code in the request body and writes it to existing payment hook files using PHP's file_put_contents(). These hook files are subsequently included via require() statements embedded in the normal payment processing flow.
Attack Flow
1. Attacker identifies a Laravel app using goodoneuz/pay-uz <= 2.2.24
2. Attacker sends POST to: /payment/api/editable/update
Body includes malicious PHP that calls passthru() or similar
3. Application writes attacker's PHP to existing payment hook file
4. Attacker triggers a payment flow (or waits for one to occur)
5. Hook file is require()'d, executing attacker's PHP with app-level privileges
6. Full Remote Code Execution achieved — web shell establishedWhy This Is Severe
The absence of authentication on a write-capable endpoint that directly modifies includable PHP files is a textbook unauthenticated RCE scenario. The exploit requires a single HTTP POST — no credentials, tokens, or prior access needed.
The Route::any() registration accepts GET, POST, PUT, PATCH, DELETE, and HEAD, maximizing accessibility to automated scanners and exploit kits.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary PHP code executed with web server privileges |
| Full Application Compromise | Attacker can read, modify, or delete any application file |
| Database Access | Laravel .env credentials accessible — full DB dump possible |
| Payment Data Exfiltration | Direct access to payment processing logic and transaction data |
| Persistent Backdoor | Webshell survives restarts; attacker maintains persistent access |
| Lateral Movement | Pivot from web server into internal network infrastructure |
| Supply Chain Risk | Shared hosting environments expose other co-hosted applications |
Immediate Remediation
Step 1: Update or Remove the Package
# Update to fixed version
composer require goodoneuz/pay-uz:^2.2.25
# Or remove if no longer needed
composer remove goodoneuz/pay-uzStep 2: Check for Exploitation
# Search for recently modified PHP files in the project (excluding vendor)
find /path/to/laravel -name "*.php" -newer /path/to/laravel/artisan \
-type f -not -path "*/vendor/*"
# Review web server logs for requests to the vulnerable endpoint
grep "/payment/api/editable/update" /var/log/nginx/access.log
grep "/payment/api/editable/update" /var/log/apache2/access.logStep 3: Block the Endpoint at the Web Server
If an immediate update is not possible, block the route at the web server:
# Nginx: deny requests to the vulnerable endpoint
location ~* ^/payment/api/editable/update {
deny all;
return 403;
}# Apache: deny access to the vulnerable endpoint
<Location "/payment/api/editable/update">
Require all denied
</Location>Step 4: Rotate All Credentials
If exploitation cannot be ruled out, treat all credentials as compromised:
# Regenerate Laravel application key
php artisan key:generate
# Rotate .env database passwords, API keys, and payment gateway credentialsDetection Indicators
| Indicator | Description |
|---|---|
POST requests to /payment/api/editable/update | Direct exploitation attempts in access logs |
| Unexpected PHP content in payment hook files | Evidence of file overwrite |
| Webshell patterns in PHP files | Post-exploitation implants |
| Outbound connections from web process to unexpected IPs | C2 communication from webshell |
New files in storage/ or app/Payments/ directories | Dropped payloads or persistence files |
Post-Remediation Checklist
- Update goodoneuz/pay-uz to version 2.2.25 or later
- Audit all payment hook files for injected code
- Scan all PHP files for webshells and backdoors
- Review web server logs for prior exploitation of the endpoint
- Rotate all application credentials (DB, API keys, payment gateway)
- Regenerate Laravel application key and invalidate all sessions
- Deploy WAF rules to block writes to sensitive endpoints
- Enable file integrity monitoring on the application directory
- Review all unauthenticated routes in the application's route files