A significant vulnerability has been identified in the Laravel framework, specifically affecting versions between 11.9.0 and 11.35.1.
The issue revolves around improper encoding of request parameters on the error page when the application is running in debug mode, leading to reflected cross-site scripting (XSS).
This flaw has been assigned the CVE identifier CVE-2024-13918 and has been labeled as high severity with a CVSS score of 8.0, as per a report by Github.
The vulnerability exploits the behavior of Laravel’s debug-mode error page, which displays detailed request information, including URL parameters and request bodies.
However, when this data is presented, it lacks proper encoding, enabling attackers to inject malicious JavaScript code that gets executed within the user’s browser.
This can occur when a user accesses an attacker-provided link, provided that the application’s debug mode is active (APP_DEBUG=true).
Vulnerability Description
When Laravel is in debug mode (APP_DEBUG=true), and the web application returns an error (HTTP status 5XX), an error page is displayed containing the request details.
The code snippet from Laravel’s error page illustrates how request body data is embedded without proper encoding:
<div class="mt-1 rounded border dark:border-gray-800">
   <div class="flex items-center">
       <span
           class="min-w-0 flex-grow"
           style="[…]"
       >
           <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm">
               <code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">
                   {!! $exception->requestBody() ?: 'No body data' !!}
               </code>
           </pre>
       </span>
   </div>
</div>The use of {!! !!} deactivates HTML encoding, allowing injected JavaScript to be executed as code.
Proof of Concept
To demonstrate this vulnerability, you can follow these steps:
- Enable Debug Mode: Ensure that APP_DEBUG=true is set in the .env file.
- Create a POCTest Route: Add an endpoint to trigger an error. For example:
use Illuminate\Support\Facades\Route;
Route::get('/poc-url', function () {
   return 0/0; // This will throw a division by zero error.
});- Exploitation: Visit a crafted URL like http://localhost:8000/poc-url?payload=<script>alert(1)</script>. When this URL is accessed and the error occurs, the error page will display and execute the injected JavaScript.
The impact of this vulnerability is substantial. Attackers can craft URLs that, when visited by users, execute arbitrary JavaScript in the context of the affected web application.
This allows for various malicious actions, including data theft or session hijacking.
Thankfully, this issue has been addressed in version 11.36.0 of the Laravel framework. Users are strongly advised to update their applications to this version or later to ensure protection against this vulnerability.
The security of web applications is paramount, and vulnerabilities like this highlighted flaw in Laravel underscore the importance of regular updates and robust security practices.
As the popularity of frameworks such as Laravel continues to grow, ensuring the integrity of these tools is crucial for safeguarding user data and preventing malicious activities.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
