Cyber Resilience

CVE-2024-52301

High

Published: 12 November 2024

Published
12 November 2024
Modified
26 August 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.6571 98.5th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52301 is a high-severity Argument Injection (CWE-88) vulnerability in Laravel Framework. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Laravel is a PHP-based web application framework affected by CVE-2024-52301. The flaw occurs when the PHP directive register_argc_argv is enabled, allowing a specially crafted query string supplied to any URL to alter the application environment that the framework selects during request handling. The issue stems from improper handling of argv values for environment detection on non-CLI SAPIs and is tracked under CWE-88. It was resolved in Laravel releases 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0 by ensuring argv values are ignored for environment detection outside CLI contexts.

An unauthenticated remote attacker can exploit the vulnerability over the network by sending a crafted HTTP request containing a malicious query string. Successful exploitation permits the attacker to force the application into an unintended environment, which can result in high-integrity impacts such as altered configuration or behavior without requiring user interaction or elevated privileges.

The GitHub Security Advisory GHSA-gv7v-rgg6-548h and the Debian LTS announcement both direct users to upgrade to one of the patched Laravel versions listed above. They note that the framework update prevents argv-based environment overrides on non-CLI SAPIs, eliminating the vector when register_argc_argv remains enabled.

EU & UK References

Vulnerability details

Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling…

more

the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

laravel
framework
≤ 6.20.45 · 7.0.0 — 7.30.7 · 8.0.0 — 8.83.28
debian
debian linux
11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References