VYPR
← All advisories
High severityCISA KEVNVD Advisory· Published Aug 9, 2018· Updated Oct 21, 2025

CVE-2018-15133

CVE-2018-15133

Description

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
laravel/frameworkPackagist
<= 5.5.40
laravel/frameworkPackagist
>= 5.6.0, < 5.6.305.6.30

Patches

1
d84cf988ed5d

dont serialize csrf cookie / header

https://github.com/laravel/frameworkTaylor OtwellAug 7, 2018via ghsa
commit
2 files changed · +18 6
  • src/Illuminate/Cookie/Middleware/EncryptCookies.php+17 5 modified
    @@ -25,6 +25,15 @@ class EncryptCookies
      */
     protected $except = [];
 
+    /**
+     * The cookies that should not be serialized.
+     *
+     * @var array
+     */
+    protected $serialization = [
+        'XSRF-TOKEN' => false,
+    ];
+
     /**
      * Create a new CookieGuard instance.
      *
@@ -73,7 +82,7 @@ protected function decrypt(Request $request)
             }
 
             try {
-                $request->cookies->set($key, $this->decryptCookie($cookie));
+                $request->cookies->set($key, $this->decryptCookie($key, $cookie));
             } catch (DecryptException $e) {
                 $request->cookies->set($key, null);
             }
@@ -85,14 +94,15 @@ protected function decrypt(Request $request)
     /**
      * Decrypt the given cookie and return the value.
      *
+     * @param  string  $name
      * @param  string|array  $cookie
      * @return string|array
      */
-    protected function decryptCookie($cookie)
+    protected function decryptCookie($name, $cookie)
     {
         return is_array($cookie)
                         ? $this->decryptArray($cookie)
-                        : $this->encrypter->decrypt($cookie);
+                        : $this->encrypter->decrypt($cookie, $this->serialization[$name] ?? true);
     }
 
     /**
@@ -107,7 +117,7 @@ protected function decryptArray(array $cookie)
 
         foreach ($cookie as $key => $value) {
             if (is_string($value)) {
-                $decrypted[$key] = $this->encrypter->decrypt($value);
+                $decrypted[$key] = $this->encrypter->decrypt($value, $this->serialization[$key] ?? true);
             }
         }
 
@@ -127,8 +137,10 @@ protected function encrypt(Response $response)
                 continue;
             }
 
+            $serialize = $this->serialization[$cookie->getName()] ?? true;
+
             $response->headers->setCookie($this->duplicate(
-                $cookie, $this->encrypter->encrypt($cookie->getValue())
+                $cookie, $this->encrypter->encrypt($cookie->getValue(), $serialize)
             ));
         }
  • src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php+1 1 modified
    @@ -138,7 +138,7 @@ protected function getTokenFromRequest($request)
         $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
 
         if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
-            $token = $this->encrypter->decrypt($header);
+            $token = $this->encrypter->decrypt($header, false);
         }
 
         return $token;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.