CVE-2024-52301

HIGH EXPLOITED

Laravel Framework < 6.20.45 - Environment Manipulation via Crafted Query String

Title source: llm

Exploitation Summary

CVE-2024-52301 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Nyamort, martinhaunschmid, nanwinata.

AI-analyzed exploit summary This repository provides a detailed writeup and proof-of-concept for CVE-2024-52301, which exploits Laravel's environment detection mechanism by manipulating $_SERVER['argv'] via URL parameters when register_argc_argv is enabled in PHP. The vulnerability allows an attacker to override the application environment, affecting Blade directives and other environment-dependent logic.

Description

Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

Exploits (4)

nomisec WRITEUP 20 stars

by Nyamort · poc

https://github.com/Nyamort/CVE-2024-52301

View Code ZIP pw:eip

This repository provides a detailed writeup and proof-of-concept for CVE-2024-52301, which exploits Laravel's environment detection mechanism by manipulating $_SERVER['argv'] via URL parameters when register_argc_argv is enabled in PHP. The vulnerability allows an attacker to override the application environment, affecting Blade directives and other environment-dependent logic.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Laravel Framework (specific version not specified)

No auth needed

Prerequisites: register_argc_argv enabled in PHP configuration · Laravel application using environment detection via $_SERVER['argv']

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by martinhaunschmid · infoleak

https://github.com/martinhaunschmid/CVE-2024-52301-Research

View Code ZIP pw:eip

This PoC demonstrates CVE-2024-52301, a vulnerability in Laravel where GET parameters can manipulate application configuration due to improper handling of `--env` arguments. The exploit leverages `register_argc_argv` being enabled to treat query parameters as command-line arguments.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Laravel Framework versions 6.20.44 and below

No auth needed

Prerequisites: PHP `register_argc_argv` enabled · Laravel application exposed to untrusted input

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 1 stars

by nanwinata · remote

https://github.com/nanwinata/CVE-2024-52301

View Code ZIP pw:eip

This script automates the detection of CVE-2024-52301, a Laravel environment manipulation vulnerability, by enumerating subdomains and testing them with crafted query strings. It checks for indicators of vulnerability in HTTP responses but does not include an exploit payload.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Theoretical

Target: Laravel (versions before 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0)

No auth needed

Prerequisites: subfinder · httpx · target domain

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by fckoo · poc

https://github.com/fckoo/nanwinata-CVE-2024-52301

View Code ZIP pw:eip

This repository contains a scanner script that checks for Laravel Arbitrary Argument Injection vulnerability (CVE-2024-52301) by enumerating subdomains and testing specific payloads. It does not include a functional exploit but detects potential vulnerabilities.

Classification

Scanner 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Laravel Framework (versions before 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0)

No auth needed

Prerequisites: subfinder · httpx · domain name

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/12/msg00019.html

Vendor Advisory x_refsource_confirm

https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h

Scores

CVSS v3 7.5

EPSS 0.6571

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2025-06-08

CWE

CWE-88

Status published

Products (3)

debian/debian_linux 11.0

laravel/framework < 6.20.45

laravel/framework 0 - 6.20.45Packagist

Published Nov 12, 2024

Tracked Since Feb 18, 2026