Laravel Encrypter Component Potential Decryption Failure Leading to Unintended Behavior

The Laravel Encrypter component is susceptible to a vulnerability that may result in decryption failure, leading to an unexpected return of false. Exploiting this issue requires the attacker to manipulate the encrypted payload before decryption. When combined with weak type comparisons in the application's code, such as the example below:

&lt;?php

$decyptedValue = decrypt($secret);

if ($decryptedValue == &#039;&#039;) {
    // Code is run even though decrypted value is false...
}

Published: May 15, 2024
Updated: Jun 27, 2024
GHSA: GHSA-7852-w36x-6mf6
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-1240

Affected Software
References

Software	From	Fixed in
laravel / framework	-	5.5.40
laravel / framework	5.6.0	5.6.15

https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2018-03-30-1.yaml
https://github.com/laravel/framework/commit/28e53f23a76206fb130e9a54eb95aa3f010e79c9
https://github.com/laravel/framework/commit/886d261df0854426b4662b7ed5db6a1c575a4279
https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0

Vulnerability Database

Laravel Encrypter Component Potential Decryption Failure Leading to Unintended Behavior