Reflected Cross-Site Scripting Vulnerability in Laravel Framework by Vendor
CVE-2024-13919

6.1MEDIUM

Key Information:

Vendor: Laravel Holdings Inc.
Status: Laravel Framework
Vendor: CVE Published:; 10 March 2025

What is CVE-2024-13919?

The Laravel framework is vulnerable to reflected cross-site scripting due to improper encoding of route parameters in its debug-mode error page. This flaw affects versions 11.9.0 through 11.35.1, potentially allowing attackers to execute malicious scripts in users' browsers. The vulnerability arises when the framework does not sanitize the output of error messages, leading to the possibility of unauthorized script execution.

Affected Version(s)

Laravel Framework 11.9.0 <= 11.35.1

References

https://github.com/sbaresearch/advisories/tree/public/202...

third-party-advisory

https://github.com/laravel/framework/pull/53869

patch

https://github.com/laravel/framework/releases/tag/v11.36.0

release-notes

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 10, 2025
Vulnerability Reserved
Mar 4, 2025

Credit

Fabian Funder (SBA Research)

Philipp Adelsberger (SBA Research)

Jeremy Angele