Security researchers have identified a vulnerability related to Laravel's APP_KEY, which is essential for data encryption. Over 260,000 APP_KEYs were leaked on GitHub, leading to the discovery of 600 vulnerable applications. The deserialization flaw within Laravel's implementation of the decrypt() function permits attackers to execute arbitrary code if they gain access to the APP_KEY. This vulnerability has been recognized since CVE-2018-15133 and persists in newer versions when specific session serialization configurations are used.
Laravel's APP_KEY, essential for encrypting sensitive data, is often leaked publicly. If attackers get access to this key, they can exploit a deserialization flaw to execute arbitrary code.
The company, in collaboration with Synacktiv, said it was able to extract more than 260,000 APP_KEYs from GitHub, identifying over 600 vulnerable Laravel applications.
APP_KEY is a random 32-byte encryption key generated during the installation of Laravel, used to encrypt and decrypt data, sign and verify data, and create unique authentication tokens.
If attackers obtain the APP_KEY and can invoke the decrypt() function with a malicious payload, they can achieve remote code execution on the Laravel web server.
Collection
[
|
...
]