Security Tip: Use a Supported Version of Laravel!
[Tip#69] Are you using the latest version of Laravel? If not, do you have an upgrade planned?
One of the essential steps to keeping your apps secure is keeping your dependencies updated. We’ve talked about updating or removing dependencies before, although that focused mainly on packages, and the OWASP Top 10 includes A06:2021 – Vulnerable and Outdated Components, but we haven’t specifically talked about Laravel framework updates.
At the time of writing this article, the Laravel Framework release schedule has a major release every year in Q1, which is supported with bug fixes for 18 months, and security fixes for 2 years.
At the time of updating this article (September 2024), the current major version is 11, with version 10 receiving security fixes, and version 9 and earlier unsupported.
You can find the updated release schedule here: https://laravel.com/docs/releases#support-policy
Keeping this schedule in mind, it is critical that you keep your app on a supported version of Laravel. Ideally upgrading to the latest version within the first 12-18 months, to ensure you receive bug fixes, but if not, then upgrade within 2 years to receive security fixes.
It's easy to say upgrade, but here’s why you should:
If a major vulnerability is discovered in an unsupported version of Laravel, it will be outside the support window and will not be patched. This means any application running these older versions will be vulnerable, and open for attack. Only upgrading to a supported version of Laravel will patch the vulnerability and keep the app safe.
This is exactly what the attacks conducted by the "Androxgh0st" malware (as per Laravel Security Notice #2) were doing. They were targeting a known vulnerability in Laravel 5 on apps that hadn’t been updated in years.
This sort of attack happens constantly within the WordPress world, and the fact that Cybersecurity and Infrastructure Security Agency (CISA) released an advisory that includes Laravel specifically as the target tells me attackers are starting to notice Laravel apps and look for exploits. So we need to be prepared and check our security.
