Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page
Description
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Laravel 11.9.0–11.35.1 reflects XSS via unencoded request parameters in debug-mode error pages, allowing script execution in the victim's browser.
Vulnerability
Overview
The Laravel framework versions 11.9.0 through 11.35.1 contain a reflected cross-site scripting (XSS) vulnerability in the debug-mode error page. When APP_DEBUG=true and the application returns a 5xx HTTP error, the error page embeds request parameters—both URL query strings and request body data—directly into the HTML without proper encoding. The templating engine uses {!! !!} syntax, which disables HTML escaping, allowing attacker-controlled input to be interpreted as markup [1][4].
Exploitation
An attacker can craft a malicious link containing JavaScript payloads in a request parameter (e.g., a query string or POST body) and trick a user into clicking it. The user must be authenticated to the Laravel application, and the application must have debug mode enabled (APP_DEBUG=true). No special network position is required; the attack is remote and relies on user interaction [1][4]. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) reflects the need for user interaction and debug mode [3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the origin of the affected web application. This can lead to session hijacking, data theft, or other client-side attacks. The impact is limited to the browser context, but the attacker can access sensitive information available to the user [1][4].
Mitigation
The vulnerability is fixed in Laravel version 11.36.0 [2][4]. Users should upgrade to the latest version immediately. As a workaround, debug mode should be disabled in production environments (APP_DEBUG=false), which eliminates the attack surface. No other workarounds are documented [1][3].
- security - [SBA-ADV-20241209-01] CVE-2024-13918: Laravel 11.9.0-11.35.1 Reflected XSS via Request Parameter in Debug-Mode Error Page
- Patch by angelej · Pull Request #53869 · laravel/framework
- NVD - CVE-2024-13918
- advisories/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page at public · sbaresearch/advisories
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
laravel/frameworkPackagist | >= 11.9.0, < 11.36.0 | 11.36.0 |
Affected products
3- Range: 11.9.0
Patches
145287fb2a91cEscape data (#53869)
1 file changed · +2 −2
src/Illuminate/Foundation/resources/exceptions/renderer/components/context.blade.php+2 −2 modified@@ -51,7 +51,7 @@ class="min-w-0 flex-grow" class="min-w-0 flex-grow" style="-webkit-mask-image: linear-gradient(90deg, transparent 0, #000 1rem, #000 calc(100% - 3rem), transparent calc(100% - 1rem))" > - <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm"><code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">{!! $exception->requestBody() ?: 'No body data' !!}</code></pre> + <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm"><code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">{{ $exception->requestBody() ?: 'No body data' }}</code></pre> </span> </div> </div> @@ -105,7 +105,7 @@ class="min-w-0 flex-grow" class="min-w-0 flex-grow" style="-webkit-mask-image: linear-gradient(90deg, transparent 0, #000 1rem, #000 calc(100% - 3rem), transparent calc(100% - 1rem))" > - <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm"><code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">{!! $routeParametersContext !!}</code></pre> + <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm"><code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">{{ $routeParametersContext }}</code></pre> </span> </div> </div>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/laravel/framework/pull/53869ghsapatchWEB
- github.com/advisories/GHSA-546h-56qp-8jmwghsaADVISORY
- github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Pageghsathird-party-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-13918ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/03/10/3ghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2024-13918.yamlghsaWEB
- github.com/laravel/framework/commit/45287fb2a91c69bb1c110539b9b7341faf5aee33ghsaWEB
- github.com/laravel/framework/releases/tag/v11.36.0ghsarelease-notesWEB
News mentions
0No linked articles in our index yet.