CVE-2024-52301
Published: 12 November 2024
Summary
CVE-2024-52301 is a high-severity Argument Injection (CWE-88) vulnerability in Laravel Framework. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Laravel is a PHP-based web application framework affected by CVE-2024-52301. The flaw occurs when the PHP directive register_argc_argv is enabled, allowing a specially crafted query string supplied to any URL to alter the application environment that the framework selects during request handling. The issue stems from improper handling of argv values for environment detection on non-CLI SAPIs and is tracked under CWE-88. It was resolved in Laravel releases 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0 by ensuring argv values are ignored for environment detection outside CLI contexts.
An unauthenticated remote attacker can exploit the vulnerability over the network by sending a crafted HTTP request containing a malicious query string. Successful exploitation permits the attacker to force the application into an unintended environment, which can result in high-integrity impacts such as altered configuration or behavior without requiring user interaction or elevated privileges.
The GitHub Security Advisory GHSA-gv7v-rgg6-548h and the Debian LTS announcement both direct users to upgrade to one of the patched Laravel versions listed above. They note that the framework update prevents argv-based environment overrides on non-CLI SAPIs, eliminating the vector when register_argc_argv remains enabled.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3258
Vulnerability details
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling…
more
the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.