-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| laravel/framework | composer | >= 5.5.0, < 5.6.30 | 5.6.30 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from unsafe deserialization of cookie values after decryption. Prior to Laravel 5.6.30, the framework allowed serialized cookies by default through the EncryptCookies middleware's $serialize property. The Encrypter::decrypt method would call unserialize() on decrypted data when serialization was enabled, creating a CWE-502 vulnerability. The patch in 5.6.30 disabled serialization by default, removing this unsafe deserialization path. The Encrypter::decrypt method is directly responsible for the vulnerable deserialization when handling serialized cookies.
Ongoing coverage of React2Shell