Laravel Security Notice: Laravel Environment Manipulation via Query String

[Notice #3] Update your Laravel version and ensure `register_argc_argv` is disabled non-CLI commands!

Laravel Security Notice: Laravel Environment Manipulation via Query String

A new High severity vulnerability was announced in the Laravel framework last week, CVE-2024-52301: Laravel environment manipulation via query string. This followed on from one announced in Symfony the week before, CVE-2024-50340: Ability to change environment from query.

The Vulnerability

As per the GitHub Security Advisory:

When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.

This is kinda vague, but I've done some testing and was able to replicate it. As best I can tell, this only allows you to change the APP_ENV value on Laravel apps, but that is more than enough to pose a significant risk to your apps.

The risk is that we rely on APP_ENV to tell us where the code is running, and will often have debug helpers and authentication bypasses available to make local dev easier, plus tools like Laravel Horizon and Telescope will bypass authentication on local dev. So an attacker can toggle your app into local dev mode, and bypass a bunch of protections, potentially gaining access to everything in your app.

Is Your App Vulnerable?

Your app is only vulnerable if you have the register_argc_argv PHP ini config enabled on your web requests (i.e. php-fpm for Nginx, etc). This config option is supposed to be disabled by default, although I've seen reports that the default PHP docker container and many web hosts leave it enabled.

You can check either by calling the following:

ini_get('register_argc_argv'),

Or with:

phpinfo();

Do a search for register_argc_argv in the output.

Note, you'll need to run these on your website - not via CLI. This option is supposed to enabled on the CLI.

The Fix

  1. Ensure register_argc_argv is disabled in your php.ini for non-CLI requests. (I.e. php-fpm for Nginx, etc.)
  2. Update Laravel to the latest version.

Given the severity of the issue, Laravel has backported fixes to the following versions:

6.20.45
7.30.7
8.83.28
9.52.17
10.48.23
11.31.0

You only need to update Laravel to avoid the issue, but given register_argc_argv is supposed to be disabled on production, it's a good idea to do that too. It may prevent similar issues in the future.

Final Comments

As I said above, I have replicated the issue - it's surprisingly trivial to exploit. I won't reveal the information at the moment, to give folks time to patch and update, but maybe I'll demo it in a later conference talk. 🤔

I can see this one being overlooked by folks because it only allows modification of APP_ENV, but when you consider how often we use app()->isProduction() in some situations, it's easy to see why this has the potential to be a massive security risk. For example, I've seen a number of authentication helpers that add magic login links for local development, which would allow complete account takeovers and privilege escalation if enabled on production sites. 😱

Final note, I should have jumped on this one sooner, ideally last week, but none of my servers were vulnerable (on Laravel Forge), and given the register_argc_argv option is recommended disabled, I assumed it wasn't widespread... which I should not have done. I dropped the ball, and I apologise for that.