Description
Laravel Rest Api is an API generator. Prior to version 2.13.0, a validation bypass vulnerability was discovered where multiple validations defined for the same attribute could be silently overridden. Due to how the framework merged validation rules across multiple contexts (such as index, store, and update actions), malicious actors could exploit this behavior by crafting requests that bypass expected validation rules, potentially injecting unexpected or dangerous parameters into the application. This could lead to unauthorized data being accepted or processed by the API, depending on the context in which the validation was bypassed. This issue has been patched in version 2.13.0.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Lomkit/laravel-rest-api/security/advisories/GHSA-69rh-hccr-cxrj
Issue Tracking x_refsource_misc
https://github.com/Lomkit/laravel-rest-api/pull/172
Scores
CVSS v4
6.6
EPSS
0.0052
EPSS Percentile
39.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1173
CWE-20
Status
published
Products (2)
lomkit/laravel-rest-api
0 - 2.13.0Packagist
Lomkit/laravel-rest-api
< 2.13.0
Published
May 30, 2025
Tracked Since
Feb 18, 2026