Laravel Framework Environment Manipulation Vulnerability via Query String
CVE-2024-52301 Published on November 12, 2024

Laravel allows environment manipulation via query string
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

Github Repository NVD

Weakness Type

What is an Argument Injection Vulnerability?

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVE-2024-52301 has been classified to as an Argument Injection vulnerability or weakness.


Products Associated with CVE-2024-52301

Want to know whenever a new CVE is published for Laravel? stack.watch will email you.

Laravel
 

Affected Versions

laravel framework: laravel framework:

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-52301

Package Manager Vulnerable Package Versions Fixed In
composer laravel/framework < 6.20.45 6.20.45
composer laravel/framework >= 7.0.0, < 7.30.7 7.30.7
composer laravel/framework >= 8.0.0, < 8.83.28 8.83.28
composer laravel/framework >= 9.0.0, < 9.52.17 9.52.17
composer laravel/framework >= 10.0.0, < 10.48.23 10.48.23
composer laravel/framework >= 11.0.0, < 11.31.0 11.31.0

Exploit Probability

EPSS
60.13%
Percentile
98.24%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.