KEVIntel
Back to KEVs
8.1
CVSS
High

CVE-2018-15133

PUBLISHED

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially...

Exploited in the wild Remote No user interaction
Vendor
Laravel
Product
Laravel Framework
Published
Aug 09, 2018
EPSS

Description

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

php cisa metasploit

CVSS scores

CVSS v3.1 8.1 High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 6.8

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitation status

Exploited in the wild

Recorded 2024-01-16 00:00:00 UTC · Source

SSVC decision points

Exploitation
active
Automatable
No
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Jan 16, 2024

Scanner integrations

Scanner Reference Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/laravel_token_unserialize_exec.rb Apr 28, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

yeahhbean/Laravel-CVE-2018-15133

github · Created 2025-04-27 09:32:50 UTC · 0 stars

NatteeSetobol/CVE-2018-15133-Lavel-Expliot

github · Created 2021-12-28 02:33:13 UTC · 0 stars

"Lavel Exploit CVE-2018-15133 is a powerful exploit that allows attackers to gain unauthorized access to vulnerable systems. This exploit was originally developed as part of a Capture The Flag (CTF) challenge and has since been used by security researchers and ethical hackers to identify and address vulnerabilities in web applications.

AzhariKun/CVE-2018-15133

github · Created 2021-01-03 08:06:46 UTC · 3 stars

AlienX2001/better-poc-for-CVE-2018-15133

github · Created 2020-11-09 08:44:27 UTC · 0 stars

An automated PoC for CVE 2018-15133

Bilelxdz/Laravel-CVE-2018-15133

github · Created 2020-02-25 18:36:13 UTC · 0 stars

Cette exploit en python va vous permettre de créer des listes de sites et les exploiter rapidement.

kozmic/laravel-poc-CVE-2018-15133

github · Created 2018-08-14 18:51:50 UTC · 251 stars

PoC for CVE-2018-15133 (Laravel unserialize vulnerability)

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Metasploit