GHSA-crmm-hgp2-wgrp: Laravel Framework: Temporary Signed URL Path Confusion

June 17, 2026

A vulnerability in Laravel’s local filesystem driver allows temporary signed URLs to be parsed ambiguously, potentially misrouting requests and bypassing expiration enforcement.

Under certain conditions, a generated temporary signed URL can be interpreted differently by the server than intended at signing time. This may cause requests to resolve to an unintended resource, and can prevent expiration from being enforced, allowing expired URLs to remain valid indefinitely.

References

github.com/advisories/GHSA-crmm-hgp2-wgrp
github.com/laravel/framework/pull/60137
github.com/laravel/framework/pull/60230
github.com/laravel/framework/pull/60350
github.com/laravel/framework/security/advisories/GHSA-crmm-hgp2-wgrp

Code Behaviors & Features

Detect and mitigate GHSA-crmm-hgp2-wgrp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →