Back to KEVs

CVE-2018-15133

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially...

Basic Information

CVE State: PUBLISHED
Reserved Date: August 07, 2018
Published Date: August 09, 2018
Last Updated: February 03, 2025
Vendor: Laravel
Product: Laravel Framework
Description: In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
Tags

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2024-01-16 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2020-11-09 08:44:27 UTC) Source

References

https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30 http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2024-01-16 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/laravel_token_unserialize_exec.rb	2025-04-29 11:01:27 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

yeahhbean/Laravel-CVE-2018-15133

Type: github • Created: 2025-04-27 09:32:50 UTC • Stars: 0

NatteeSetobol/CVE-2018-15133-Lavel-Expliot

Type: github • Created: 2021-12-28 02:33:13 UTC • Stars: 0

"Lavel Exploit CVE-2018-15133 is a powerful exploit that allows attackers to gain unauthorized access to vulnerable systems. This exploit was originally developed as part of a Capture The Flag (CTF) challenge and has since been used by security researchers and ethical hackers to identify and address vulnerabilities in web applications.

AzhariKun/CVE-2018-15133

Type: github • Created: 2021-01-03 08:06:46 UTC • Stars: 3

AlienX2001/better-poc-for-CVE-2018-15133

Type: github • Created: 2020-11-09 08:44:27 UTC • Stars: 0

An automated PoC for CVE 2018-15133

Bilelxdz/Laravel-CVE-2018-15133

Type: github • Created: 2020-02-25 18:36:13 UTC • Stars: 0

Cette exploit en python va vous permettre de créer des listes de sites et les exploiter rapidement.

kozmic/laravel-poc-CVE-2018-15133

Type: github • Created: 2018-08-14 18:51:50 UTC • Stars: 251

PoC for CVE-2018-15133 (Laravel unserialize vulnerability)

Timeline

CVE ID Reserved

August 07, 2018
CVE Published to Public

August 09, 2018
Proof of Concept Exploit Available

November 09, 2020
Added to KEVIntel

January 16, 2024
Detected by Metasploit

April 29, 2025