CVE-2018-15133
Published: 09 August 2018
Summary
CVE-2018-15133 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Laravel Laravel. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-15133 affects the Laravel Framework through version 5.5.40 and 5.6.x through 5.6.29. It stems from unsafe handling of the X-XSRF-TOKEN header, where the decrypt method in Illuminate/Encryption/Encrypter.php performs an unserialize operation on attacker-supplied data. This enables use of known gadget chains, such as the one in phpggc for Laravel RCE, when the application key is known.
An attacker with knowledge of the application key can supply a crafted token to trigger remote code execution. The key requirement implies the attacker must have obtained it through prior privileged access or a separate compromise, after which the deserialization flaw allows arbitrary code execution with the privileges of the web application process.
Laravel addressed the issue by releasing version 5.6.30 and corresponding patches for the 5.5 branch, as documented in the framework upgrade notes. The vulnerability is also catalogued in CISA's known exploited vulnerabilities list, confirming observed in-the-wild activity.
Public exploit code has been published on PacketStorm, demonstrating practical weaponization of the deserialization path once the application key is obtained.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-5039
Vulnerability details
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc.…
more
The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
- CWE(s)
- KEV Date Added
- 16 January 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the root cause by requiring validation and sanitization of the X-XSRF-TOKEN value before any decrypt/unserialize operation occurs.
Mandates prompt application of the Laravel 5.5.40/5.6.30 patches that removed the unsafe unserialize path in Encrypter.php.
Requires integrity verification of application code and configuration to detect tampering that could expose the APP_KEY or leave the vulnerable deserialization path in place.