← back
CVE-2018-15133

CVE-2018-15133

CVSS 8.1 HIGHEPSS 76.8%● KEVCWE-502
In short

Laravel applications can execute arbitrary code if an attacker manipulates a cookie token and knows the app's secret key. This happens because the framework unsafely deserializes untrusted data, treating it as executable code instead of just information.

Technical detail

CVE-2018-15133 exploits unsafe unserialization of the X-XSRF-TOKEN cookie via the decrypt() method in Illuminate/Encryption/Encrypter.php. The attack requires knowledge of the application key (a high barrier) but leverages PHP object gadget chains (phpggc) to achieve remote code execution. Impact is critical RCE with application-level privileges.

Summary generated and translated by AI from the official description.
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found16
githubgithub.com/kozmic/laravel-poc-CVE-2018-15133259githubgithub.com/aljavier/exploit_laravel_cve-2018-1513357githubgithub.com/pwnedshell/Larascript35githubgithub.com/Prabesh01/Laravel-PHP-Unit-RCE-Auto-shell-uploader6githubgithub.com/AzhariKun/CVE-2018-151333githubgithub.com/yeahhbean/Laravel-CVE-2018-151331githubgithub.com/0xSalle/cve-2018-151330githubgithub.com/flame-11/CVE-2018-15133-laravel-framework0githubgithub.com/Loaxert/CVE-2018-15133-PoC0githubgithub.com/Bilelxdz/Laravel-CVE-2018-151330githubgithub.com/bukitbarisan/laravel-rce-cve-2018-151330githubgithub.com/AlienX2001/better-poc-for-CVE-2018-151330githubgithub.com/NatteeSetobol/CVE-2018-15133-Lavel-Expliot0githubgithub.com/Cr4zyD14m0nd137/Lab-for-cve-2018-151330exploitdbwww.exploit-db.com/exploits/47129unverifiedcve_referencepacketstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.htmlhttps://laravel.com/docs/5.6/upgrade#upgrade-5.6.30https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15133