Security Tip: Use a Supported Version of Laravel!

[Tip#69] Are you using Laravel 10? If not, do you have an upgrade planned? If you're not on 10, your app may be at risk!

Security Tip: Use a Supported Version of Laravel!

One of the essential steps to keeping your apps secure is keeping your dependencies updated. We’ve talked about updating dependencies1 before, although that focused mainly on packages, and the OWASP Top 10 includes A06:2021 – Vulnerable and Outdated Components, but we haven’t specifically talked about Laravel framework updates.

The Laravel Framework has a major release every year within Q12. Version 9 was released on the 8th February 2022, while version 10 came out 14th February 2023, and version 11 is due in Q1 2024 - sometime in the next two months.

Once a version of Laravel is released, it receives non-breaking feature updates and bug fixes for 18 months after the release date, and security fixes are provided for 2 years after the release date.

Support Policy table from the Laravel documentation showing supported versions.

Therefore, it is critical that you keep your app running a supported version of Laravel. Ideally on the latest version released (currently 10), so you can also receive bug fixes, but at the very least within that 2 year security fix window.

For a really good resource for tracking Laravel versions, check out this site made by the awesome folks at Tighten:

This email is scheduled to go out on the 22nd January 2024, and according to the schedule, it will only receive security fixes for 15 more days, after which it will be considered end of life.

It is critical that you upgrade any Laravel apps on 9 (or earlier) as soon as possible!

Here’s why:

If a major vulnerability in Laravel 9 is discovered on the 8th February 2024, 2 days after security fixes ended, it will be outside the support window and will not be patched. This means any application running Laravel 9 will be vulnerable, and open for attack. Only upgrading to Laravel 10 will patch the vulnerability and keep the app safe.

This is exactly what the attacks conducted by the "Androxgh0st" malware (as per Friday’s Laravel Security Notice) were doing. They were targeting a known vulnerability in Laravel 5 on apps that hadn’t been updated in years.

This sort of attack happens constantly within the WordPress world, and the fact that Cybersecurity and Infrastructure Security Agency (CISA) released an advisory that includes Laravel specifically as the target tells me attackers are starting to notice Laravel apps and look for exploits. So we need to be prepared and check our security.

Looking to learn more?
Security Tip #50: Watch out for Resource Authorisation
▶️ In Depth #17: Storing Environment Variables Safely

👉 Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code. 🕵️

👉 Worried about your app being hacked? Book in a Laravel Security Audit and Penetration Test! I can find the vulnerabilities before a hacker does, and help you fix them. 🕵️

  1. As well as removing unused dependencies, and replacing tiny packages with your own implementations.

  2. This is the current plan when this post was written anyway, it may change over time.