CVE-2024-13919

HighPublic PoC

Published: 10 March 2025

Published

10 March 2025

Modified

24 March 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0025 48.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13919 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Laravel Framework. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 48.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Mandates output filtering and encoding of route parameters on the debug error page to directly prevent reflected XSS script execution.

SI-11 Error Handling good match

prevent

Ensures error handling on debug-mode pages does not compromise security by reflecting unencoded user inputs.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the encoding flaw through patching to Laravel 11.36.0 or later.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Reflected XSS via crafted URL enables spearphishing link delivery (T1566.002) and facilitates browser session hijacking or cookie theft for data/session impacts (T1185).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.

Deeper analysisAI

CVE-2024-13919 is a reflected cross-site scripting (XSS) vulnerability affecting the Laravel framework in versions 11.9.0 through 11.35.1. The issue stems from improper encoding of route parameters when displayed on the debug-mode error page, allowing malicious scripts to be injected and executed. It carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) and maps to CWE-79.

An unauthenticated remote attacker can exploit this vulnerability by tricking a user into accessing a specially crafted URL that triggers an error page in debug mode. The unencoded route parameter reflects the attacker's payload, enabling script execution in the victim's browser context with high confidentiality and integrity impacts, such as session hijacking or data theft, though it requires user interaction and high attack complexity.

Mitigation involves upgrading to Laravel framework version 11.36.0 or later, where the fix is implemented via pull request #53869 on GitHub. Further details on the vulnerability and remediation are provided in the SBA advisory at sbaresearch GitHub and the oss-security mailing list announcement.