8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-15133

GHSA ID

GHSA-qvqm-h22r-4cp9

EPSS Score

0.99044%

CWE

CWE-502

Published

5/14/2022

Updated

1/13/2025

KEV Status

Yes

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-15133

CVE-2018-15133:
Laravel Framework RCE Vulnerability

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-15133

GHSA ID

GHSA-qvqm-h22r-4cp9

EPSS Score

0.99044%

CWE

CWE-502

Published

5/14/2022

Updated

1/13/2025

KEV Status

Yes

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
laravel/framework	composer	<= 5.5.40
laravel/framework	composer	>= 5.6.0, <= 5.6.29	5.6.30

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe deserialization during cookie/header decryption. The core issue is in Encrypter::decrypt which by default performed unserialize() on decrypted data. The middleware components (EncryptCookies and VerifyCsrfToken) called this method without proper serialization controls, particularly for XSRF tokens. The patch added explicit serialization flags (false for XSRF-TOKEN) to prevent unserialization of untrusted data. The vulnerable functions are those that handled decryption of user-controlled tokens without these safeguards, enabling PHP object injection when the app key was known.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In L*r*v*l *r*m*work t*rou** *.*.** *n* *.*.x t*rou** *.*.**, r*mot* *o** *x**ution mi**t o**ur *s * r*sult o* *n uns*ri*liz* **ll on * pot*nti*lly untrust** X-XSR*-TOK*N v*lu*. T*is involv*s t** ***rypt m*t*o* in `Illumin*t*/*n*ryption/*n*rypt*r.p*p

Reasoning

T** vuln*r**ility st*ms *rom uns*** **s*ri*liz*tion *urin* *ooki*/*****r ***ryption. T** *or* issu* is in *n*rypt*r::***rypt w*i** *y ****ult p*r*orm** uns*ri*liz*() on ***rypt** **t*. T** mi**l*w*r* *ompon*nts (*n*rypt*ooki*s *n* V*ri*y*sr*Tok*n) **

8.1

Basic Information

Concerned about an active attack path?

CVE-2018-15133: Laravel Framework RCE Vulnerability

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-15133:
Laravel Framework RCE Vulnerability

Vulnerability Intelligence
Miggo AI