cbcvebase.
CVE-2024-52301
published 2024-11-12

CVE-2024-52301: Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
37.98%
98.4th percentile
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

Affected

19 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianphp-laravel-framework< php-laravel-framework 6.20.14+dfsg-2+deb11u2 (bullseye)php-laravel-framework 6.20.14+dfsg-2+deb11u2 (bullseye)
laravelframework< 6.20.456.20.45
laravelframework
laravelframework
laravelframework
laravelframework
laravelframework
laravelframework>= 0 < 6.20.456.20.45
laravelframework>= 10.0.0 < 10.48.2310.48.23
laravelframework>= 10.0.0 < 10.48.2310.48.23
laravelframework>= 11.0.0 < 11.31.011.31.0
laravelframework>= 11.0.0 < 11.31.011.31.0
laravelframework>= 7.0.0 < 7.30.77.30.7
laravelframework>= 7.0.0 < 7.30.77.30.7
laravelframework>= 8.0.0 < 8.83.288.83.28
laravelframework>= 8.0.0 < 8.83.288.83.28
laravelframework>= 9.0.0 < 9.52.179.52.17
laravelframework>= 9.0.0 < 9.52.179.52.17

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation requires the PHP directive `register_argc_argv` to be set to `on` — detection should focus on web requests with specially crafted query strings targeting Laravel applications where this directive is enabled
  • The fix causes Laravel to ignore argv values for environment detection on non-CLI SAPIs; detection logic should alert on Laravel instances running vulnerable versions (prior to 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, 11.31.0) with `register_argc_argv=on`
  • ·Vulnerability is only exploitable when the PHP directive `register_argc_argv` is set to `on`; this is not the default in production PHP configurations but may be enabled in some environments
  • ·Fixed versions are 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0; Debian bookworm remains open as of source publication date

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vulncheck8.7HIGH
vendor_debian8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.