GHSA-qm5c-m76r-2hfr: Laravel RCE vulnerability in "cookie" session driver

May 15, 2024

Applications using the “cookie” session driver that were also exposing an encryption oracle via their application were vulnerable to remote code execution. An encryption oracle is a mechanism where arbitrary user input is encrypted and the encrypted string is later displayed or exposed to the user. This combination of scenarios lets the user generate valid Laravel signed encryption strings for any plain-text string, thus allowing them to craft Laravel session payloads when an application is using the “cookie” driver.

References

blog.laravel.com/laravel-cookie-security-releases
github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2020-07-27-1.yaml
github.com/advisories/GHSA-qm5c-m76r-2hfr
github.com/laravel/framework

Code Behaviors & Features

Detect and mitigate GHSA-qm5c-m76r-2hfr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →