When the `register_argc_argv php` directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.

## Resolution

The framework now ignores argv values for environment detection on non-cli SAPIs.

Affected Packages

Packagist laravel/framework

Affected versions: 0 (fixed in 6.20.45)

Packagist laravel/framework

Affected versions: 7.0.0 (fixed in 7.30.7)

Packagist laravel/framework

Affected versions: 8.0.0 (fixed in 8.83.28)

Packagist laravel/framework

Affected versions: 9.0.0 (fixed in 9.52.17)

Packagist laravel/framework

Affected versions: 10.0.0 (fixed in 10.48.23)

Packagist laravel/framework

Affected versions: 11.0.0 (fixed in 11.31.0)

Related CVEs

CVE-2024-52301

Key Information

GHSA ID

GHSA-gv7v-rgg6-548h

Published

November 12, 2024 10:08 PM

Last Modified

December 21, 2024 6:30 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

laravel/framework

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 17, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.