Medium severity5.9NVD Advisory· Published Sep 28, 2017· Updated May 13, 2026

CVE-2017-14775

Description

Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
laravel/frameworkPackagist	< 5.5.10	5.5.10
illuminate/authPackagist	< 5.5.10	5.5.10

Affected products

Laravel/Laravel
cpe:2.3:a:laravel:laravel:*:*:*:*:*:*:*:*
Range: <=5.5.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-c2v7-j5gq-wcq4ghsaADVISORY
github.com/laravel/framework/pull/21320nvdIssue TrackingMailing ListThird Party AdvisoryWEB
github.com/laravel/framework/releases/tag/v5.5.10nvdRelease NotesThird Party AdvisoryWEB
laravel-news.com/laravel-v5-5-11nvdIssue TrackingVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-14775ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/auth/CVE-2017-14775.yamlghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2017-14775.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000