Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page
Description
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Laravel 11.9.0–11.35.1 contains a reflected XSS vulnerability in the debug-mode error page due to improper encoding of route parameters.
Vulnerability
Overview
The Laravel framework versions 11.9.0 through 11.35.1 are vulnerable to reflected cross-site scripting (XSS) in the debug-mode error page. The root cause is improper HTML encoding of route parameters when the application is in debug mode (APP_DEBUG=true) and returns a 5XX error. The error page embeds route parameter values directly into the HTML without sanitization, using Laravel's Blade templating engine with the {!! !!} syntax, which disables automatic escaping [1][4].
Exploitation
An attacker can craft a malicious URL containing JavaScript payloads in the route parameters. To exploit this, the target application must have debug mode enabled and must be induced to return an HTTP 5XX error (e.g., by triggering an exception). The victim must click the attacker-supplied link while authenticated to the application. The debug error page then renders the malicious payload, executing arbitrary JavaScript in the victim's browser within the origin of the affected web application [1][4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, exfiltration of sensitive data, or further actions within the application. The CVSS score is 8.0 (High) with vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N, reflecting the need for user interaction and debug mode [4].
Mitigation
The vulnerability was fixed in Laravel version 11.36.0 via pull request #53869 [2]. Users running affected versions should upgrade to 11.36.0 or later. As a workaround, disabling debug mode (APP_DEBUG=false) in production environments eliminates the attack surface, as the error page is not rendered [1][4].
- security - [SBA-ADV-20241209-02] CVE-2024-13919: Laravel 11.9.0-11.35.1 Reflected XSS via Route Parameter in Debug-Mode Error Page
- Patch by angelej · Pull Request #53869 · laravel/framework
- advisories/2024/SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Page at public · sbaresearch/advisories
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
laravel/frameworkPackagist | >= 11.9.0, < 11.36.0 | 11.36.0 |
Affected products
3- Range: 11.9.0
Patches
145287fb2a91cEscape data (#53869)
1 file changed · +2 −2
src/Illuminate/Foundation/resources/exceptions/renderer/components/context.blade.php+2 −2 modified@@ -51,7 +51,7 @@ class="min-w-0 flex-grow" class="min-w-0 flex-grow" style="-webkit-mask-image: linear-gradient(90deg, transparent 0, #000 1rem, #000 calc(100% - 3rem), transparent calc(100% - 1rem))" > - <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm"><code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">{!! $exception->requestBody() ?: 'No body data' !!}</code></pre> + <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm"><code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">{{ $exception->requestBody() ?: 'No body data' }}</code></pre> </span> </div> </div> @@ -105,7 +105,7 @@ class="min-w-0 flex-grow" class="min-w-0 flex-grow" style="-webkit-mask-image: linear-gradient(90deg, transparent 0, #000 1rem, #000 calc(100% - 3rem), transparent calc(100% - 1rem))" > - <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm"><code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">{!! $routeParametersContext !!}</code></pre> + <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm"><code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">{{ $routeParametersContext }}</code></pre> </span> </div> </div>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/laravel/framework/pull/53869ghsapatchWEB
- github.com/advisories/GHSA-83wp-f5c3-hqqrghsaADVISORY
- github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Pageghsathird-party-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-13919ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/03/10/4ghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2024-13919.yamlghsaWEB
- github.com/laravel/framework/commit/45287fb2a91c69bb1c110539b9b7341faf5aee33ghsaWEB
- github.com/laravel/framework/releases/tag/v11.36.0ghsarelease-notesWEB
News mentions
0No linked articles in our index yet.