CVE-2024-13919 – Laravel applications running vulnerable version... (How to Fix)

📋 TL;DR

Laravel applications running vulnerable versions are susceptible to reflected cross-site scripting (XSS) attacks when debug mode is enabled. Attackers can inject malicious scripts via route parameters that get improperly encoded on debug error pages. This affects any Laravel application with debug mode enabled running versions 11.9.0 through 11.35.1.

💻 Affected Systems

Products:

Laravel Framework

Versions: 11.9.0 through 11.35.1

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when debug mode is enabled (APP_DEBUG=true). Production environments typically have debug disabled.

📦 What is this software?

Framework by Laravel

View all CVEs affecting Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as the user, or redirecting to malicious sites.

🟠

Likely Case

Session hijacking, credential theft, or defacement of error pages through injected content.

🟢

If Mitigated

Limited impact if debug mode is disabled in production, as the vulnerability only affects debug error pages.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires debug mode enabled and attacker to craft malicious URLs with XSS payloads in route parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v11.36.0

Vendor Advisory: https://github.com/laravel/framework/releases/tag/v11.36.0

Restart Required: No

Instructions:

1. Update Laravel framework to version 11.36.0 or later using composer: composer require laravel/framework:^11.36.0
2. Run composer update
3. Clear application cache: php artisan optimize:clear

🔧 Temporary Workarounds

Disable Debug Mode

all

Set APP_DEBUG=false in .env file to prevent debug error pages from being displayed.

echo 'APP_DEBUG=false' >> .env
php artisan config:clear

🧯 If You Can't Patch

Disable debug mode in production environments immediately.
Implement web application firewall (WAF) rules to block XSS payloads in URLs.

🔍 How to Verify

Check if Vulnerable:

Check Laravel version and debug mode status: php artisan --version && grep APP_DEBUG .env

Check Version:

php artisan --version

Verify Fix Applied:

Confirm Laravel version is 11.36.0 or higher: php artisan --version

📡 Detection & Monitoring

Log Indicators:

Unusual error page requests with JavaScript in URL parameters
Multiple 500 error responses with suspicious parameter values

Network Indicators:

HTTP requests containing script tags or JavaScript in route parameters
Requests to error pages with encoded payloads

SIEM Query:

source="laravel.log" AND ("APP_DEBUG" OR "error") AND ("script" OR "javascript:" OR "onerror=" OR "<script")

📊 Metadata

CVE ID: CVE-2024-13919

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (19.3th percentile)

Published: March 10, 2025

Last Updated: March 24, 2025

🔗 References

https://github.com/laravel/framework/pull/53869 Issue Tracking,Patch
https://github.com/laravel/framework/releases/tag/v11.36.0 Release Notes
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Page Exploit
http://www.openwall.com/lists/oss-security/2025/03/10/4 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13919, you might also want to check these: