CVE-2024-52301

Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/12/msg00019.html	Third Party Advisory Mailing List

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:laravel:framework::::::::
	cpe:2.3:a:laravel:framework::::::::
	cpe:2.3:a:laravel:framework::::::::
	cpe:2.3:a:laravel:framework::::::::
	cpe:2.3:a:laravel:framework::::::::
	cpe:2.3:a:laravel:framework::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

26 Aug 2025, 02:37

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h -~~	() https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h - Vendor Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2024/12/msg00019.html -~~	() https://lists.debian.org/debian-lts-announce/2024/12/msg00019.html - Third Party Advisory, Mailing List
First Time		Debian debian Linux Laravel Laravel framework Debian
CPE		cpe:2.3:a:laravel:framework:::::::: cpe:2.3:o:debian:debian_linux:11.0:::::::*

21 Dec 2024, 17:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/12/msg00019.html -

21 Nov 2024, 17:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~0.0~~	v2 : unknown v3 : unknown

13 Nov 2024, 15:35

Type	Values Removed	Values Added
Summary		(es) Laravel es un framework de aplicaciones web. Cuando la directiva de php register_argc_argv está establecida en on y los usuarios llaman a cualquier URL con una cadena de consulta especialmente manipulada, pueden cambiar el entorno que utiliza el framework al procesar la solicitud. La vulnerabilidad se corrigió en 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23 y 11.31.0. El framework ahora ignora los valores argv para la detección del entorno en SAPI que no son de CLI.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 0.0

12 Nov 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-12 20:15

Updated : 2025-08-26 02:37

NVD link : CVE-2024-52301

Mitre link : CVE-2024-52301

CVE.ORG link : CVE-2024-52301

JSON object : View

Products Affected

debian

debian_linux

laravel

framework

CWE

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

7.5 /10